It's in the mail: When a PC is sending unsolicited e-mail, NetFlow analysis can identify the compromised machine. The daily routine of SMTP analysis leads to scheduled reports, removing the manual work. The net result is a significant reduction of spam being generated, which will help to keep the organization off e-mail blacklists.

It's easy to identify problems by selecting SMTP traffic and sorting it by the number of flows. For example, an unregistered server causing thousands of e-mail flows in a relatively short time interval has a compromised system and will be contacted. Failure to fix problems results in subsequent notifications and could lead to account suspension.

Even registered mail servers with excessive flows can be worth further investigation. For example, thousands of e-mail flows out of a small business or a school in the middle of the night raises a red flag, and checking IPs against Internet registries often turns up large numbers of suspicious foreign destinations. Detailed flow analysis of a specific machine generating spam usually shows activity on ports indicating a specific mail Trojan.

On the trail of malware: When a new virus or worm hits, NetFlow analysis can reveal its characteristics, the extent to which it has infected networks and how it's spreading. For example, Sasser and Sober are fairly easy to profile from the ports they use and the number of flows generated. Thousands of flows on port 445 over a 20-minute interval just isn't normal activity--it's Sasser.

Symantec, McAfee, the Internet Storm Center and others are ready sources of information on the activity patterns of viruses, worms and spyware.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >