Is There a Zombie On Your Network?

When some people hear about DDoS attacks and botnets containing thousands of zombie hosts, they think it could never happen on their network. While it is true that most of the recent attacks on websites were directed at high profile names, other networks can host the systems responsible for the attacks. In other cases your neighbors could gain access to your network via wireless connections and use it for sending email. My recommendations in this article revolve around monitoring your network, but you should also look at methods for defending a Wi-Fi network.

I recently worked on two issues where zombie hosts were causing major problems for the people responsible for managing the networks.

In the first case a network manager received a letter from his ISP requesting that his company cease from sending spam email. Included with the notice was the date and time of the spam email together with an IP address of the source. Unfortunately, the IP address was of the external interface of his firewall which was useless for tracing the source of the spam on his network. He was left with the prospect of reinstalling all PC’s on his network or locating the source of the problem another way.

The problem was eventually detected by monitoring the switch port connecting the firewall to the local network. This gave him access to the traffic going to and from the Internet. By focusing on all traffic associated with TCP port 25 he found the source to be a single PC. Traffic on TCP port 25 is normally associated with SMTP email. He confirmed this by decoding the traffic with SMTP analysis tools. He found that all the email was spam being sent to random email addresses. If you suspect there is spam originating from your network, follow these steps to locate the source.

  • Port-mirror the internal interface of your firewall.
  • Use a traffic analysis tool to filter on any systems sending traffic on TCP port 25
  • Have a look at the packet content of this traffic for email addresses. SMTP traffic analysis tools are also available for this purpose.

In the next example, I worked with another network manager who just received a large bill from her ISP. She had an Internet connectivity package from her ISP which was billed monthly and included a data allowance. If this data allowance was exceeded, extra costs were incurred. This arrangement was working well for a number of months until the costs suddenly soared. When queried, the ISP could not provide any detailed information, only the total volume of traffic for the bill reporting period.

I suggested that she monitor the traffic going to and from the Internet. When we started looking at the traffic we found a server sending huge amounts of UDP traffic to external systems located in different countries. This behavior is very typical of a system that is part of a botnet. It will have received commands from an external source to send large amounts of traffic to specific websites. These websites can then go offline as they cannot cope with the huge volume of traffic.

The server in question was checked for viruses but nothing was found. She took the server off the network and luckily it was not a big job to get it reinstalled and databases restored. Traffic rates on her Internet connection immediately dropped and the next bill from the ISP was back at normal levels. If you notice a change in traffic volumes on your Internet connection of if you suddenly incur extra data charges from your ISP, follow these steps to locate the source of the traffic.

  • Port-mirror the internal interface of your firewall
  • Use a traffic analysis tool to look at the top clients based on traffic totals.
  • Normally, traffic on TCP port 80 or 443 would account for most activity on an Internet connection. Look for anomalies like excessive UDP traffic or traffic on random port numbers.

Our headlines are sometimes dominated with stories about networks and websites being attacked. We all need to be aware of this, but we also need to be aware that source of these attacks could be located on networks that we manage. My advice is to look at the traffic going to and from the internal interface of your firewall. This is the point on your network where you can see the actual source of potential problems on your network.

Comments are closed.


SetPageWidth