Flow Analytics
This section shows you how to interact with Unified Assurance Flow Analytics. This is recommended for use by trained Unified Assurance administrators and consultants to plan, execute, and support a Flow Analytics deployment.
Introduction
Unified Assurance Flow Analytics is a complete solution to collect, analyze, and provide real-time visibility into whom and what are consuming network bandwidth.
Key features include:
- See which users, devices and/or applications are using the most bandwidth
- Discover traffic patterns & device performance
- Prioritize business-critical applications
- Validate effectiveness of CBQoS policies
Architecture
With all Unified Assurance solutions, the components are broken down into three layers: collection, database, and presentation. The majority of the solution resides in the collection layer on a dedicated server. If multiple data centers or multiple managed customers will be exporting flows, it is recommended to install separate collection servers in each data center to get as close to the exporting devices as possible. Raw flow data should not have to consume bandwidth traversing WAN links if possible.
The architecture of the product includes the following key functions to provide its end-to-end functionality:
- Devices send flow data into the collection servers where they are processed. See the Flow Collector documentation for additional information.
- Flows are stored in the ElasticSearch Database.
- Users interact with the Flow diagrams in the Kibana UI inside the Unified Assurance UI. The default dashboards are available through the Analytics -> Flow -> Dashboard option in the navigation bar. The overview dashboard has several tabs allowing you to drill into different visualizations of flow data.
Description of illustration flow-analytics-architecture-diagram.png
Enriching Flow Data
Flow records can be enriched with additional data not sent from the devices exporting flows. By default, enrichment will not be enabled unless the following files are added to the cluster node running the flow-collector.
DNS Resolution
Enable DNS resolution by adding the following value to the flow-collector's helm chart configData:
FLOW_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE: "true"
Manual Name Resolution
File: $A1BASEDIR/etc/flow/hostname/user_defined.yml
Example:
'192.0.2.1': 'host1'
'192.0.2.2': 'host2'
GeoIP Autonomous Systems
File: $A1BASEDIR/etc/flow/maxmind/GeoLite2-ASN.mmdb
GeoIP Locations
File: $A1BASEDIR/etc/flow/maxmind/GeoLite2-City.mmdb
Device and Network Interfaces
File: $A1BASEDIR/etc/flow/metadata/netifs.yml
Example:
10.0.0.1:
1:
ifName: lo
ifDescr: lo
ifAlias: lo
ifType: 24
ifSpeed: 10000000
tags:
- router_mgmt
metadata:
sec.zone.name: network
3:
internal: false
ifName: eth0
ifDescr: eth0
ifAlias: internet
ifType: 6
ifSpeed: 1000000000
cirIn: 200000000
cirOut: 12000000
tags:
- verizon
metadata:
sec.zone.name: internet
10.0.0.2:
501:
ifName: vlan
ifDescr: vlan
ifSpeed: 1000000000
502:
ifName: ge-0/0/0
ifDescr: ge-0/0/0
ifSpeed: 1000000000
Machine Learning Overview
Flow Analytics Machine Learning provides Anomaly Detections to automatically identify a variety of performance, availability and security conditions.
Machine Learning Policies must train a model on your current datafeed. The minimum recommended duration of data must be between 2 weeks to 2 months to provide the best detection accuracy.
Once a model is trained and set to continuously run, identified anomalies will be caught by an Elasticsearch Watcher Policy and sent to a Unified Assurance Webhook Aggregator to generate events. Multiple anomalies will be sent in batches at the same time and separated into unique events in the aggregator rules.
Note:
Make sure you have the latest copy of the webhook include rules for elasticsearch copied from the RO_LOCKED branch to your default branch. (e.g. Core Rules (core) > Default read-only branch (RO_LOCKED) > collection > event > webhook > vendor > elastic.include.rules to the same path in Core Rules (core) > Default read-write branch (default))
Machine Learning Policies
Network Availability
Failed TCP Sessions (private)
Failed TCP Sessions (public)
Network Performance
Unusual Destination ASN Traffic Volume
Unusual Source ASN Traffic Volume
Unusual Network Interface Egress Traffic Volume
Unusual Network Interface Ingress Traffic Volume
Network Security Access
Brute Force Access Attempt (CLI)
An anomalously high number of failed connection attempts were observed to common remote CLI ports (SSH, telnet, etc.). This can indicate a brute force login attack.
Network Security Activity
Rare Client-Side Autonomous System
This anomaly detector identifies client-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
Rare Server-Side Autonomous System
This anomaly detector identifies server-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
Rare Conversation (inbound)
This anomaly detector identifies rare inbound (public to private) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
Rare Conversation (outbound)
This anomaly detector identifies rare outbound (private to public) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
Rare Conversation (private)
This anomaly detector identifies rare private conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
Network Security Amplification Attacks
Generic DDoS Attack (UDP Amplification)
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open UDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
CHARGEN Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Character Generator Protocol (CHARGEN) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
DNS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Kad Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Kademlia DHT peers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
LDAP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open LDAP servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
mDNS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open mDNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Memcached Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Memcached servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
MSSQL Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open MSSQL servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
NETBIOS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NETBIOS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
NTP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NTP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
QOTD Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quote of the Day (QOTD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Quake Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quake services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
RADIUS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open RADIUS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
RIP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Routing Information Protocol (RIP) enabled routers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
RPC Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Remote Procedure Call (RPC) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Sentinel SPSS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SPSS (Sentinel RMS) License Manager services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
SNMP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SNMP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
SSDP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SSDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Steam Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Steam services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
TFTP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Trivial File Transfer Protocol (TFTP) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
WSD Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Web Services for Devices (WSD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
Network Security Flood Attacks
Generic DDoS Attack (TCP)
A Distributed Denial of Service (DDoS) attempts to make a service unavailable by directly sending a high-volume of TCP traffic from multiple sources to the targeted TCP listener.
ICMP Flood DDoS Attack
An ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.
ICMP Flood Direct Attack
A ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic.
SYN Flood DDoS Attack
A SYN flood (half-open attack) DDoS attack is a type of denial-of-service (DDoS) attack in which multiple sources are used with the aim of making a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
SYN Flood Direct Attack
A SYN flood (half-open attack) direct attact is a type of denial-of-service (DDoS) attack in which a single source aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
Network Security Reconnaissance
Port Scan (fast)
A client accessed an anomalously high number of server ports, over a short period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.
Port Scan (slow)
A client accessed an anomalously high number of server ports over a long period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.