Telnet offers a bi-directional byte-oriented communication. Originally designed to offer a
communications method for terminal access, telnet uses port 23 on the server side and
a dynamic port number on the client side. Telnet is documented in RFCs 854 (Telnet)
and 855 (Telnet Options).
The Telnet Elements
Telnet hosts exchange information about options that they support as they establish a
connection with another host. This remote host is referred to as a Network Virtual
Terminal (NVT), or a virtual, generic host. These options use the DO, DON’T, WILL and
WON’T structure to define what features they support. All telnet communications use the
server port number 23 to exchange the option information and telnet data, as shown in
Figure 1.
NVT
Each side of a telnet communication is referred to as an NVT – the client NVT typically
initiates the telnet connection, while the server NVT offers some services to the client. In
the traditional sense, the NVT was considered a printer-keyboard device that receives
bytes from the other host and prints the information. It sends data entered on the
keyboard to the other host.
WILL –WON’T – DO – DON’T Structures
During the initial telnet connection establishment process, the hosts propose and accept
or deny the use of specific parameters to use in the communications.
The following structures are used for this negotiation process:
· 251 (0xFB) WILL
· 252 (0xFC) WON’T
· 253 (0xFD) DO
· 254 (0xFE) DON’T
Although these operators are not the only ones available, they are the most widely used
structures. A host sends one of these operators, such as DO or WILL, and follows it with
an option code. The option is accepted when the other host responds with a DO or
WILL. Returning a DON’T or WON’T indicates that a host does not accept an option.
Options
Options are parameters or conventions used for the telnet connection. For example, one
option, echo, is used to define whether a telnet host echoes back data characters it
receives over the telnet connection. The telnet echo option is covered in detail in RFC
857.
Table 1 shows a partial list of the options registered for telnet. Refer to www.iana.org for
a complete list of telnet options.
Table 1
Telnet Options List
Options Name References
0 Binary Transmission [RFC856]
1 Echo [RFC857]
2 Reconnection [NIC50005]
3 Suppress Go Ahead [RFC858]
4 Approx Message Size Negotiation [ETHERNET]
5 Status [RFC859]
6 Timing Mark [RFC860]
7 Remote Controlled Trans and Echo [RFC726]
8 Output Line Width [NIC50005]
9 Output Page Size [NIC50005]
10 Output Carriage-Return Disposition [RFC652]
11 Output Horizontal Tab Stops [RFC653]
12 Output Horizontal Tab Disposition [RFC654]
13 Output Formfeed Disposition [RFC655]
14 Output Vertical Tabstops [RFC656]
15 Output Vertical Tab Disposition [RFC657]
16 Output Linefeed Disposition [RFC658]
17 Extended ASCII [RFC698]
18 Logout [RFC727]
19 Byte Macro [RFC735]
20 Data Entry Terminal [RFC1043, RFC732]
21 SUPDUP [RFC736, RFC734]
22 SUPDUP Output [RFC749]
23 Send Location [RFC779]
24 Terminal Type [RFC1091]
25 End of Record [RFC885]
26 TACACS User Identification [RFC927]
27 Output Marking [RFC933]
28 Terminal Location Number [RFC946]
29 Telnet 3270 Regime [RFC1041]
30 X.3 PAD [RFC1053]
31 Negotiate About Window Size [RFC1073]
32 Terminal Speed [RFC1079]
33 Remote Flow Control [RFC1372]
34 Linemode [RFC1184]
35 X Display Location [RFC1096]
36 Environment Option [RFC1408]
37 Authentication Option [RFC2941]
38 Encryption Option [RFC2946]
Some options require that additional information is exchanged between hosts. For
example, when an option requires a parameter, the simple DO, DON’T, WILL, and
WON’T functions are not sufficient. To support additional information exchange, both
hosts must agree to discuss the parameters and then use the command SB to begin
subnegotiation.
Thursday, January 22, 2009
Wednesday, December 17, 2008
How to Hack
Hacking can be difficult and there are many different ways to hack and many different exploits to use. Hacking is neither defined nor limited by exploitation or exploration. Hacking into someone else's system may be illegal, so don't do it unless you are sure you have permission from the owner of the system you are trying to hack.
Hacking was primarily used for learning new things about systems and computing in general, 'in the good ol' days'. In recent years it has taken dark connotations and in general has been looked down upon. Likewise, many corporations now employ "hackers" to test the strengths and weaknesses of their own systems. These hackers know when to stop, and it is the positive trust they have built that earn them large salaries.
There is a major difference between a hacker and a cracker. A cracker is motivated by malicious reasons; a hacker is attempting to gain knowledge through exploration.
Learn a programming language. C++ is very useful, although difficult to learn. Python is much easier to learn, although less flexible. In order to break into web systems, learning server side languages such as PHP will help you immensely. Perl is also a very useful language to learn, as it can be used in many situations, and once you are familiar with the syntax (which is similar to that of C), you will be able to create Perl scripts very quickly.
Use a *nix terminal for commands. Cygwin will help emulate this for Windows users. DOS is more limiting than a *nix terminal. The tools in this article can be found for Windows based machines. Nmap particularly, uses WinPCap to run on Windows and does not require Cygwin. However, Nmap works poorly on Windows systems due to the lack of raw sockets. You should also consider using Linux or BSD, which are both more flexible, more reliable, and more secure. Most Linux distributions come with many useful tools pre-installed.
Try securing your machine first. Make sure you fully understood all common techniques, including the way to protect yourself.
Know your target. The process of gathering information about your target is known as 'enumeration'. Can you reach the remote system? You can use the ping utility (which is included in most operating systems) to see if the target is 'alive', however, you can not always trust the results of the ping utility, as it relies on the ICMP protocol, which can be easily shut off by paranoid system administrators.
Determine the operating system (OS). This is important because how can you gain access to a system if you don't know what the system is? This step involves running a scan of th ports. Try pOf, or nmap to run a port scan. This will show you the ports that are open on the machine, the OS, and can even tell you what type of firewall or router they are using so you can plan a course of action. You can activate OS detection in nmap by using the -O switch.
Find some path or open port in the system. Common ports such as FTP (21) and HTTP (80) are often well protected, and possibly only vulnerable to exploits yet to be discovered. Try other TCP and UDP ports that may have been forgotten, such as Telnet and various UDP ports left open for LAN gaming. An open port 22 is usually evidence of an SSH (secure shell) service running on the target, which can sometimes be bruteforced.
Crack the password or authentication process. There are several methods for cracking a password, including brute force. Using brute force on a password is an effort to try every possible password contained within a pre-defined dictionary of brute force software. Users are often discouraged from using weak passwords, so brute force may take a lot of time. You may try using Rainbow Tables for fastest password cracking. Notice that password cracking is good technique only if you already got the hash of password. Trying every possible password while logging to remote machine is not good idea, as it's easily detected by intrusion detection systems, pollute system logs and may take years to complete. Actually it's often much easier to find other way into system, than cracking password.
Get super user (root) privileges if targeting a *nix machine, or administrator privileges if taking Windows systems. Most information that will be of vital interest is protected and you need a certain level of authentication to get it. To see all the files on a computer you need super user privileges. This is a user account that is given the same privileges as the "root" user in Linux and BSD operating systems. For routers this is the "admin" account by default (unless it has been changed), for Windows, this is the Administrator account, etc. Just because you have gained access to a connection doesn't mean you can access everything. Only a super user, the administrator account, or the root account can do this.
Use various tricks. Often to gain super user status you have use tactics such as creating a "buffer overflow" which is basically causing the memory to dump and allowing you to inject a code or perform a task at a higher level then you're normally authorized. In unix-like systems this will happen if the bugged software has setuid bit set, so program will be executed as different user (superuser for example). Only writing or finding an insecure program that you can execute on their machine will allow you to do this.
Create a backdoor. Once you gained full control over machine, it's best to make sure you can come back one day. This can be done by backdooring important system service, such as SSH server. However your backdoor may be removed upon next system upgrade - really experienced hackers would backdoor the compiler itself, so every compiled software would've be potential way to come back.
Cover your tracks. Never ever let the administrator know that the system is compromised. Do not change the website (if any), do not create more files than you really need. Do not create any additional users. Act as fast as possible. If you patched server like SSHD, make sure it has your secret password hard-coded. If someone tries to login with this password, server should let him in, but shouldn't tell syslog about it.
TipsRead books discussing TCP/IP networking.
This article discusses what is known in the hacking world as "cracking". Hackers are those that built the internet, made Linux, and work on open source software. It is advisable to look into hacking, as it is respected and less likely to get you arrested.
Using these tactics on a popular corporate or government computer is asking for trouble unless you're a professional hacker. Keep in mind there are people a bit more knowledgeable than you who are protecting these systems for a living. Once found, they sometimes monitor intruders to let them incriminate themselves first before legal action is taken. This means you might think you have free access after hacking into a system, when in fact, you're being watched, and may be stopped at any moment.
Find information online related to hacking, or to even attend an "underground" hacking event, visit these sites:
enigmagroup.org A legal and safe network security resource where users test their hacking skills on various challenges and learn about hacking and network security. Also provided are articles, comprehensive and active forums, and guides and tutorials.
defcon.org Underground hacking event.
hackthissite.org Hacking site with a large selection of challenges to practice your skills in a safe and legal environment.
insecure.org Hacking tools and other software.
securityforest.com Tools, papers, exploits, and other reference material.
hellboundhackers.org Learn vital skills, complete training "missions, and talk with other experienced hackers to become better. Also get tools, and skills.
WarningsMisuse of this information may be a local and/or federal crime. This article is intended to be informational and should only be used for ethical purposes.
Do not delete entire logfiles, instead, just remove the incriminating entries from the file. What do you think would look more suspicious; logs with a few entries missing, or the entire log file destroyed?
Be extremely careful if you think you have found a very easy crack or a crude mistake in security management. A security professional that protects that system may be trying to track you be setting up a (honeypot).
Stay away from breaking into government networks. If you do find a vulnerability in such a network, the best plan of action is to inform the system administrator, and perhaps help them in patching the vulnerability.
Things You'll NeedA computer with a connection to the Internet.
A proxy is always a good idea.
An ip scanner
Petraflops help
Hacking was primarily used for learning new things about systems and computing in general, 'in the good ol' days'. In recent years it has taken dark connotations and in general has been looked down upon. Likewise, many corporations now employ "hackers" to test the strengths and weaknesses of their own systems. These hackers know when to stop, and it is the positive trust they have built that earn them large salaries.
There is a major difference between a hacker and a cracker. A cracker is motivated by malicious reasons; a hacker is attempting to gain knowledge through exploration.
Learn a programming language. C++ is very useful, although difficult to learn. Python is much easier to learn, although less flexible. In order to break into web systems, learning server side languages such as PHP will help you immensely. Perl is also a very useful language to learn, as it can be used in many situations, and once you are familiar with the syntax (which is similar to that of C), you will be able to create Perl scripts very quickly.
Use a *nix terminal for commands. Cygwin will help emulate this for Windows users. DOS is more limiting than a *nix terminal. The tools in this article can be found for Windows based machines. Nmap particularly, uses WinPCap to run on Windows and does not require Cygwin. However, Nmap works poorly on Windows systems due to the lack of raw sockets. You should also consider using Linux or BSD, which are both more flexible, more reliable, and more secure. Most Linux distributions come with many useful tools pre-installed.
Try securing your machine first. Make sure you fully understood all common techniques, including the way to protect yourself.
Know your target. The process of gathering information about your target is known as 'enumeration'. Can you reach the remote system? You can use the ping utility (which is included in most operating systems) to see if the target is 'alive', however, you can not always trust the results of the ping utility, as it relies on the ICMP protocol, which can be easily shut off by paranoid system administrators.
Determine the operating system (OS). This is important because how can you gain access to a system if you don't know what the system is? This step involves running a scan of th ports. Try pOf, or nmap to run a port scan. This will show you the ports that are open on the machine, the OS, and can even tell you what type of firewall or router they are using so you can plan a course of action. You can activate OS detection in nmap by using the -O switch.
Find some path or open port in the system. Common ports such as FTP (21) and HTTP (80) are often well protected, and possibly only vulnerable to exploits yet to be discovered. Try other TCP and UDP ports that may have been forgotten, such as Telnet and various UDP ports left open for LAN gaming. An open port 22 is usually evidence of an SSH (secure shell) service running on the target, which can sometimes be bruteforced.
Crack the password or authentication process. There are several methods for cracking a password, including brute force. Using brute force on a password is an effort to try every possible password contained within a pre-defined dictionary of brute force software. Users are often discouraged from using weak passwords, so brute force may take a lot of time. You may try using Rainbow Tables for fastest password cracking. Notice that password cracking is good technique only if you already got the hash of password. Trying every possible password while logging to remote machine is not good idea, as it's easily detected by intrusion detection systems, pollute system logs and may take years to complete. Actually it's often much easier to find other way into system, than cracking password.
Get super user (root) privileges if targeting a *nix machine, or administrator privileges if taking Windows systems. Most information that will be of vital interest is protected and you need a certain level of authentication to get it. To see all the files on a computer you need super user privileges. This is a user account that is given the same privileges as the "root" user in Linux and BSD operating systems. For routers this is the "admin" account by default (unless it has been changed), for Windows, this is the Administrator account, etc. Just because you have gained access to a connection doesn't mean you can access everything. Only a super user, the administrator account, or the root account can do this.
Use various tricks. Often to gain super user status you have use tactics such as creating a "buffer overflow" which is basically causing the memory to dump and allowing you to inject a code or perform a task at a higher level then you're normally authorized. In unix-like systems this will happen if the bugged software has setuid bit set, so program will be executed as different user (superuser for example). Only writing or finding an insecure program that you can execute on their machine will allow you to do this.
Create a backdoor. Once you gained full control over machine, it's best to make sure you can come back one day. This can be done by backdooring important system service, such as SSH server. However your backdoor may be removed upon next system upgrade - really experienced hackers would backdoor the compiler itself, so every compiled software would've be potential way to come back.
Cover your tracks. Never ever let the administrator know that the system is compromised. Do not change the website (if any), do not create more files than you really need. Do not create any additional users. Act as fast as possible. If you patched server like SSHD, make sure it has your secret password hard-coded. If someone tries to login with this password, server should let him in, but shouldn't tell syslog about it.
TipsRead books discussing TCP/IP networking.
This article discusses what is known in the hacking world as "cracking". Hackers are those that built the internet, made Linux, and work on open source software. It is advisable to look into hacking, as it is respected and less likely to get you arrested.
Using these tactics on a popular corporate or government computer is asking for trouble unless you're a professional hacker. Keep in mind there are people a bit more knowledgeable than you who are protecting these systems for a living. Once found, they sometimes monitor intruders to let them incriminate themselves first before legal action is taken. This means you might think you have free access after hacking into a system, when in fact, you're being watched, and may be stopped at any moment.
Find information online related to hacking, or to even attend an "underground" hacking event, visit these sites:
enigmagroup.org A legal and safe network security resource where users test their hacking skills on various challenges and learn about hacking and network security. Also provided are articles, comprehensive and active forums, and guides and tutorials.
defcon.org Underground hacking event.
hackthissite.org Hacking site with a large selection of challenges to practice your skills in a safe and legal environment.
insecure.org Hacking tools and other software.
securityforest.com Tools, papers, exploits, and other reference material.
hellboundhackers.org Learn vital skills, complete training "missions, and talk with other experienced hackers to become better. Also get tools, and skills.
WarningsMisuse of this information may be a local and/or federal crime. This article is intended to be informational and should only be used for ethical purposes.
Do not delete entire logfiles, instead, just remove the incriminating entries from the file. What do you think would look more suspicious; logs with a few entries missing, or the entire log file destroyed?
Be extremely careful if you think you have found a very easy crack or a crude mistake in security management. A security professional that protects that system may be trying to track you be setting up a (honeypot).
Stay away from breaking into government networks. If you do find a vulnerability in such a network, the best plan of action is to inform the system administrator, and perhaps help them in patching the vulnerability.
Things You'll NeedA computer with a connection to the Internet.
A proxy is always a good idea.
An ip scanner
Petraflops help
Friday, December 12, 2008
Intrusion Detection Methodologies
1. The "business problem": Keeping the bad guys out
Internet and internal network attacks on corporate enterprises seem inescapable in today’s computing
environment. Most companies admit to having been attacked over the past year. While the most costly attacks
have been from the inside, external attacks from hackers and competitors are rising dramatically. How do you
know when you’re under attack? Chances are you can already create enough audit trail data, but who has time
to look at it?
Intrusion Detection tools solve this problem by automatically discovering and responding to attacks. This paper
investigates the need for Intrusion Detection, discusses lessons learned from early Intrusion Detection efforts,
and explores the different types of Intrusion Detection tools available. The paper compares and contrasts the
three common methodologies used for Intrusion Detection and discusses the advantages and disadvantages
inherent to various architectures.
2. "Why Intrusion Detection?"
The 1997 annual Ernst & Young security survey indicated that 46% of the respondents considered intrusions a
major concern. This rose dramatically from 16% in 1996. U.S. government penetration tests at the Department of
Defense over the last two years showed that less than 4% of the systems broken into were able to detect the
attack. Even more disturbing, less than 1% took any response.
Taking advantage of "Free Stuff"
A few years ago, hacking took a lot of time and study. While expert hackers still abound, the Internet has entered
a new era. Using almost any search engine, average Internet users can quickly find information describing how
to break into systems; for example, simply searching for key words like hacking, password cracking, and Internet
security. Thousands of sites publish step-by-step instructions as to how to break into Windows NT systems, Web
Servers, UNIX systems, etc. The sites often include tools that automate the hacking process. In many cases the
tools have easy to use graphical interfaces. For instance, a tool called "crack" automatically attempts to guess
UNIX passwords. A similar tool called L0phtcrack breaks Windows NT passwords. A software probe called
SATAN discovers vulnerable systems in a network and reports on the specific holes that can be exploited.
What does all this mean? Almost anyone with the motivation to break into systems can quickly obtain the
technology to do so without having to become an expert hacker.
Attacks come from both the inside and the outside. As the survey in the following chart illustrates, disgruntled
employees actually represent a larger threat and typically cause more damage than hacker attacks. An effective
Intrusion Detection solution should detect attacks from both inside and outside the network.
More computers than people
With the explosion of Internet connectivity and the pervasive access every day users have to both internal and
external networks, experts have seen a tremendous rise in attacks and corporate and government networks. At
the same time the complexity of our enterprises has increased rapidly. Many organizations report that they have
more computer systems than users. Add to this the diversity of operating system platforms, routers, network
protocols, applications, web servers, databases, etc., and we can quickly see why trying to spot an attack
becomes extremely difficult. Without sophisticated tools, it’s nearly impossible.
Nevertheless, nearly every organization wants to know when they are under attack. Enter Intrusion Detection
technology. Intrusion Detection tools automatically detect attacks and threats and ideally provide some type of
response.
3. Early Intrusion Detection Efforts
n the early 1980s, conventional wisdom dictated that the best way to detect intrusions was to create logs or audit
trails of all security relevant activity. As a result most operating systems, databases, routers, and mission-critical
applications generate audit trails. The original idea was that a security administrator would review the audit logs
looking for suspicious events. This seemed like a fine idea when companies only had a few systems and a few
users.
The industry quickly realized that no one had time to read all that audit trail data. So a few enterprising
developers built query and reporting programs to help analyze the audit trail in an attempt to find trouble spots.
For example, in 1984, Clyde Digital Systems developed a product called AUDIT, which automatically searches
through OpenVMS audit trails looking for suspicious events (incidentally, that product is still in use today). In
1987, a U.S. Government-funded project called IDES at Stanford Research Institute read audit trails and created
profiles of normal use patterns for users and then reported deviations.
Having "the answer" without solving the problem equals no answer at all
Intrusion Detection efforts throughout the 1980’s and early 90’s tended to focus on post-event audit trail analysis.
Most companies, however, did not make use of such tools. Unfortunately, as the number of users, systems,
applications, and databases grew, so did the audit trails now grow so large that they actually can cause denial of
service problems from using up too much disk space. Many production environments routinely turn off audit trails
to avoid disruptions to production systems.
So the current situation at most sites is that they plan to rely on audit trails to detect intrusions, but without
staffing to review the audit trails, these sites turn off the audit trails to improve productivity. No wonder most
attacks go undetected. Nobody’s looking.
4. Intrusion Detection—Essential Functionality
The term "Intrusion Detection" implies discovering attacks and threats throughout an enterprise, and responding
to those discoveries. Some of the automated responses typically include notifying a security administrator via a
console, e-mail, pager; stopping the offending session; shutting the system down; turning off down Internet links;
disabling users; or executing a predefined command procedure.
Clearly Defined: "Intrusion Detection" is more than just a coded application
An effective Intrusion Detection system needs to limit false positives—incorrectly identifying an attack when there
is none. At the same time it needs to be effective at catching attacks. Figuratively speaking, Intrusion Detection is
like a surveillance camera and alarm system all rolled into one. False alarms are distracting and reduce the
effectiveness of an Intrusion Detection system. Failing to catch a break-in reduces its value even further. To
detect new types of attacks an Intrusion Detection tool must have a way to be quickly updated. This is
particularly challenging since updates of attack detection scenarios need to be more frequent than typical
product release upgrade cycles of three to nine months. In fact, to be effective probably requires updating the
software to new detection procedures on a regular basis.
SWATting the problem of keeping current on new attacks
AXENT’s Information Security SWAT Team illustrates one way to address this challenge of rapid deployment of
new attack scenarios. The SWAT team researches new attack techniques and security threats and tests them in
the lab. It develops new Intrusion Detection scenarios in response and publishes both a description of the attack
and the scenarios on an Internet web site, www.axent.com/swat/swat.htm. Customers can download and quickly
deploy new Intrusion Detection scenarios every week or two.
5. What is a "Network?"
Although this may seem strange, but let’s clearly define the term "network." Why? Many intrusion detection
products on the market claim to be network-based, when in fact, they are only link-based packet-sniffers and
analyzers. Remembering basic geometry, a network is an assembly of "nodes" and "links." You might have seen
the following illustration used to define the term "network."
In the example, to meet our basic definition of a network, the illustration required single points, connected by
individual lines. The points, we described as "nodes" and the lines connecting between these nodes we referred
to as "links." (Individual links can connect multiple nodes as shown by the middle link in the picture, which
connects three nodes. Ethernet is an example of a network link that can connect multiple nodes to a single
segment.)
In the Intrusion Detection industry, much attention has been focused on the individual links, or on the individual
nodes (some times referred to as "hosts"). The following section examines the various methods that the leading
vendors consider as their solution to "Network-wide Security."
6. Types of Intrusion Detection Tools
As recently as the last couple of years a number of Intrusion Detection products have appeared on the market.
The Intrusion Detection market is relatively new, but growing fast. Based on their underlying methodologies,
today’s Intrusion Detection products fall into three basic categories:
An example, of a manager/agent real-time Intrusion Detection architecture is AXENT’s OmniGuard/Intruder Alert.
Intruder Alert runs across Windows NT, UNIX, and NetWare (more than 50 operating system versions). It also
monitors audit trails from Cisco routers, webservers, and various firewalls.
Intruder Alert’s manager/agent architecture offers the following advantages:
Manages Intrusion Detection from a central console, while still monitoring activity throughout the entire
network.
l
Relies on the devices themselves for first-level packet monitoring. Events that manage to slip through the
device’s capabilities to catch them are then evaluated by Intruder Alert.
l
Correlates suspicious activity as it occurs in multiple locations in the network. For example, an intruder
may use a hacker program to attempt to guess the root password on a hundred UNIX systems at the
same time.
l
Quickly updates the various agents in the network with new attack scenarios. The vendor could publish
these scenarios on the web so that customers could then download them and rapidly deploy them
throughout the enterprise.
l
Detects intrusions even if network connections are encrypted or if attackers use direct dial-up
connections.
l
Logs critical security activity on manager systems. This makes it difficult for hackers to cover their tracks
since activity is logged on another system in the network, not just a local audit trail. It also centralizes and
facilitates audit trail management.
l
7. Comparison of Detection Methods
The chart below shows a brief comparison of the basic features of the various methods of Intrusion Detection.
The final section of the chart shows what types of security threats and attacks each method can detect. A check
mark means that it can detect and respond. A "d" means it can only detect, but that it can’t provide an immediate Attack from inappropriate IP address Ö Ö
Illegal "Root" grabbing Ö Ö
Critical file tampering d Ö Ö
Trojan horse detection d Ö Ö
Browsing files (snooping) d Ö Ö
Snooping across multiple systems Ö
Response Types
Alert central console Ö Ö
Send e-mail Ö Ö Ö
Send message to pager Ö Ö Ö
Disable intruder’s user account Ö Ö
Terminate network access Ö Ö
Terminate intruder’s session Ö Ö Ö
Shutdown system Ö Ö
Terminate intruder’s user process Ö Ö
Generate SNMP Trap Ö Ö Ö
Record event on security server Ö Ö
Execute command procedure Ö Ö Ö
The previous chart clearly shows that while all Intrusion Detection methodologies are useful, manager/agent
real-time activity monitoring has the most flexible architecture. It can pick up information from routers, firewalls,
and other sources to detect many different kinds of attacks.
8. Conclusion
Intrusion detection is critical in today’s complex enterprises. Attempting to manually review audit trails is
hopelessly time-consuming and a losing battle given the number of systems and different types of audit trails.
Today’s enterprises need automated Intrusion Detection tools. These tools fall into three categories, post-event
audit trail analysis, real-time packet analysis, and real-time activity monitoring.
All three types of Intrusion Detection methods have merit, although post-event monitoring lacks the capability for
immediate response to avoid or reduce damage. Real-time packet analysis is interesting for detecting certain
low-level packet attacks, but is too far from the system—and does not effectively solve the network-wide
Intrusion Detection problem alone. Real-time activity monitoring that considers both host and link activity seems the appropriate solution for Intrusion Detection.
A manager/agent architecture provides the ability to monitor intrusions network-wide and to perform audit trail analysis and management as well as real-time Intrusion Detection. This covers both the first and third methods.Hooking packet analysis into a manager/agent architecture is really just a special case of adding a new type of agent to the manager/agent product.
As Intrusion Detection moves into the future we expect to see specific products that span all three types of types of Intrusion Detection. Because of the enabling infrastructure they already possess, products with a manager/agent architecture, like Intruder Alert, are most likely to adequately focus on all three of the Intrusion
Detection methodologies.
Internet and internal network attacks on corporate enterprises seem inescapable in today’s computing
environment. Most companies admit to having been attacked over the past year. While the most costly attacks
have been from the inside, external attacks from hackers and competitors are rising dramatically. How do you
know when you’re under attack? Chances are you can already create enough audit trail data, but who has time
to look at it?
Intrusion Detection tools solve this problem by automatically discovering and responding to attacks. This paper
investigates the need for Intrusion Detection, discusses lessons learned from early Intrusion Detection efforts,
and explores the different types of Intrusion Detection tools available. The paper compares and contrasts the
three common methodologies used for Intrusion Detection and discusses the advantages and disadvantages
inherent to various architectures.
2. "Why Intrusion Detection?"
The 1997 annual Ernst & Young security survey indicated that 46% of the respondents considered intrusions a
major concern. This rose dramatically from 16% in 1996. U.S. government penetration tests at the Department of
Defense over the last two years showed that less than 4% of the systems broken into were able to detect the
attack. Even more disturbing, less than 1% took any response.
Taking advantage of "Free Stuff"
A few years ago, hacking took a lot of time and study. While expert hackers still abound, the Internet has entered
a new era. Using almost any search engine, average Internet users can quickly find information describing how
to break into systems; for example, simply searching for key words like hacking, password cracking, and Internet
security. Thousands of sites publish step-by-step instructions as to how to break into Windows NT systems, Web
Servers, UNIX systems, etc. The sites often include tools that automate the hacking process. In many cases the
tools have easy to use graphical interfaces. For instance, a tool called "crack" automatically attempts to guess
UNIX passwords. A similar tool called L0phtcrack breaks Windows NT passwords. A software probe called
SATAN discovers vulnerable systems in a network and reports on the specific holes that can be exploited.
What does all this mean? Almost anyone with the motivation to break into systems can quickly obtain the
technology to do so without having to become an expert hacker.
Attacks come from both the inside and the outside. As the survey in the following chart illustrates, disgruntled
employees actually represent a larger threat and typically cause more damage than hacker attacks. An effective
Intrusion Detection solution should detect attacks from both inside and outside the network.
More computers than people
With the explosion of Internet connectivity and the pervasive access every day users have to both internal and
external networks, experts have seen a tremendous rise in attacks and corporate and government networks. At
the same time the complexity of our enterprises has increased rapidly. Many organizations report that they have
more computer systems than users. Add to this the diversity of operating system platforms, routers, network
protocols, applications, web servers, databases, etc., and we can quickly see why trying to spot an attack
becomes extremely difficult. Without sophisticated tools, it’s nearly impossible.
Nevertheless, nearly every organization wants to know when they are under attack. Enter Intrusion Detection
technology. Intrusion Detection tools automatically detect attacks and threats and ideally provide some type of
response.
3. Early Intrusion Detection Efforts
n the early 1980s, conventional wisdom dictated that the best way to detect intrusions was to create logs or audit
trails of all security relevant activity. As a result most operating systems, databases, routers, and mission-critical
applications generate audit trails. The original idea was that a security administrator would review the audit logs
looking for suspicious events. This seemed like a fine idea when companies only had a few systems and a few
users.
The industry quickly realized that no one had time to read all that audit trail data. So a few enterprising
developers built query and reporting programs to help analyze the audit trail in an attempt to find trouble spots.
For example, in 1984, Clyde Digital Systems developed a product called AUDIT, which automatically searches
through OpenVMS audit trails looking for suspicious events (incidentally, that product is still in use today). In
1987, a U.S. Government-funded project called IDES at Stanford Research Institute read audit trails and created
profiles of normal use patterns for users and then reported deviations.
Having "the answer" without solving the problem equals no answer at all
Intrusion Detection efforts throughout the 1980’s and early 90’s tended to focus on post-event audit trail analysis.
Most companies, however, did not make use of such tools. Unfortunately, as the number of users, systems,
applications, and databases grew, so did the audit trails now grow so large that they actually can cause denial of
service problems from using up too much disk space. Many production environments routinely turn off audit trails
to avoid disruptions to production systems.
So the current situation at most sites is that they plan to rely on audit trails to detect intrusions, but without
staffing to review the audit trails, these sites turn off the audit trails to improve productivity. No wonder most
attacks go undetected. Nobody’s looking.
4. Intrusion Detection—Essential Functionality
The term "Intrusion Detection" implies discovering attacks and threats throughout an enterprise, and responding
to those discoveries. Some of the automated responses typically include notifying a security administrator via a
console, e-mail, pager; stopping the offending session; shutting the system down; turning off down Internet links;
disabling users; or executing a predefined command procedure.
Clearly Defined: "Intrusion Detection" is more than just a coded application
An effective Intrusion Detection system needs to limit false positives—incorrectly identifying an attack when there
is none. At the same time it needs to be effective at catching attacks. Figuratively speaking, Intrusion Detection is
like a surveillance camera and alarm system all rolled into one. False alarms are distracting and reduce the
effectiveness of an Intrusion Detection system. Failing to catch a break-in reduces its value even further. To
detect new types of attacks an Intrusion Detection tool must have a way to be quickly updated. This is
particularly challenging since updates of attack detection scenarios need to be more frequent than typical
product release upgrade cycles of three to nine months. In fact, to be effective probably requires updating the
software to new detection procedures on a regular basis.
SWATting the problem of keeping current on new attacks
AXENT’s Information Security SWAT Team illustrates one way to address this challenge of rapid deployment of
new attack scenarios. The SWAT team researches new attack techniques and security threats and tests them in
the lab. It develops new Intrusion Detection scenarios in response and publishes both a description of the attack
and the scenarios on an Internet web site, www.axent.com/swat/swat.htm. Customers can download and quickly
deploy new Intrusion Detection scenarios every week or two.
5. What is a "Network?"
Although this may seem strange, but let’s clearly define the term "network." Why? Many intrusion detection
products on the market claim to be network-based, when in fact, they are only link-based packet-sniffers and
analyzers. Remembering basic geometry, a network is an assembly of "nodes" and "links." You might have seen
the following illustration used to define the term "network."
In the example, to meet our basic definition of a network, the illustration required single points, connected by
individual lines. The points, we described as "nodes" and the lines connecting between these nodes we referred
to as "links." (Individual links can connect multiple nodes as shown by the middle link in the picture, which
connects three nodes. Ethernet is an example of a network link that can connect multiple nodes to a single
segment.)
In the Intrusion Detection industry, much attention has been focused on the individual links, or on the individual
nodes (some times referred to as "hosts"). The following section examines the various methods that the leading
vendors consider as their solution to "Network-wide Security."
6. Types of Intrusion Detection Tools
As recently as the last couple of years a number of Intrusion Detection products have appeared on the market.
The Intrusion Detection market is relatively new, but growing fast. Based on their underlying methodologies,
today’s Intrusion Detection products fall into three basic categories:
An example, of a manager/agent real-time Intrusion Detection architecture is AXENT’s OmniGuard/Intruder Alert.
Intruder Alert runs across Windows NT, UNIX, and NetWare (more than 50 operating system versions). It also
monitors audit trails from Cisco routers, webservers, and various firewalls.
Intruder Alert’s manager/agent architecture offers the following advantages:
Manages Intrusion Detection from a central console, while still monitoring activity throughout the entire
network.
l
Relies on the devices themselves for first-level packet monitoring. Events that manage to slip through the
device’s capabilities to catch them are then evaluated by Intruder Alert.
l
Correlates suspicious activity as it occurs in multiple locations in the network. For example, an intruder
may use a hacker program to attempt to guess the root password on a hundred UNIX systems at the
same time.
l
Quickly updates the various agents in the network with new attack scenarios. The vendor could publish
these scenarios on the web so that customers could then download them and rapidly deploy them
throughout the enterprise.
l
Detects intrusions even if network connections are encrypted or if attackers use direct dial-up
connections.
l
Logs critical security activity on manager systems. This makes it difficult for hackers to cover their tracks
since activity is logged on another system in the network, not just a local audit trail. It also centralizes and
facilitates audit trail management.
l
7. Comparison of Detection Methods
The chart below shows a brief comparison of the basic features of the various methods of Intrusion Detection.
The final section of the chart shows what types of security threats and attacks each method can detect. A check
mark means that it can detect and respond. A "d" means it can only detect, but that it can’t provide an immediate Attack from inappropriate IP address Ö Ö
Illegal "Root" grabbing Ö Ö
Critical file tampering d Ö Ö
Trojan horse detection d Ö Ö
Browsing files (snooping) d Ö Ö
Snooping across multiple systems Ö
Response Types
Alert central console Ö Ö
Send e-mail Ö Ö Ö
Send message to pager Ö Ö Ö
Disable intruder’s user account Ö Ö
Terminate network access Ö Ö
Terminate intruder’s session Ö Ö Ö
Shutdown system Ö Ö
Terminate intruder’s user process Ö Ö
Generate SNMP Trap Ö Ö Ö
Record event on security server Ö Ö
Execute command procedure Ö Ö Ö
The previous chart clearly shows that while all Intrusion Detection methodologies are useful, manager/agent
real-time activity monitoring has the most flexible architecture. It can pick up information from routers, firewalls,
and other sources to detect many different kinds of attacks.
8. Conclusion
Intrusion detection is critical in today’s complex enterprises. Attempting to manually review audit trails is
hopelessly time-consuming and a losing battle given the number of systems and different types of audit trails.
Today’s enterprises need automated Intrusion Detection tools. These tools fall into three categories, post-event
audit trail analysis, real-time packet analysis, and real-time activity monitoring.
All three types of Intrusion Detection methods have merit, although post-event monitoring lacks the capability for
immediate response to avoid or reduce damage. Real-time packet analysis is interesting for detecting certain
low-level packet attacks, but is too far from the system—and does not effectively solve the network-wide
Intrusion Detection problem alone. Real-time activity monitoring that considers both host and link activity seems the appropriate solution for Intrusion Detection.
A manager/agent architecture provides the ability to monitor intrusions network-wide and to perform audit trail analysis and management as well as real-time Intrusion Detection. This covers both the first and third methods.Hooking packet analysis into a manager/agent architecture is really just a special case of adding a new type of agent to the manager/agent product.
As Intrusion Detection moves into the future we expect to see specific products that span all three types of types of Intrusion Detection. Because of the enabling infrastructure they already possess, products with a manager/agent architecture, like Intruder Alert, are most likely to adequately focus on all three of the Intrusion
Detection methodologies.
Wednesday, November 12, 2008
ARP
Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the MAC address of the destination host. To this end, the IP address must be resolved into the corresponding MAC address.
ARP Message Format
Figure 1 ARP message format
The following explains the fields in Figure 1.
Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet.
Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents IP.
Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”.
OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.
Sender hardware address: This field specifies the hardware address of the device sending the message.
Sender protocol address: This field specifies the protocol address of the device sending the message.
Target hardware address: This field specifies the hardware address of the device the message is being sent to.
Target protocol address: This field specifies the protocol address of the device the message is being sent to.
ARP Address Resolution Process
Figure 2 ARP address resolution process
Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping into its own ARP mapping table. This mapping is used for forwarding packets with the same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
l A permanent static ARP entry can be directly used to forward packets. When configuring a permanent static ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address and MAC address.
l A non-permanent static ARP entry cannot be directly used for forwarding data. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device sends an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the device adds the interface receiving the ARP reply into the static ARP entry. Now the entry can be used for forwarding IP packets.
Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and destination IP address are both the IP address of the sender, the source MAC address is the MAC address of the sender, and the destination MAC address is a broadcast address.
A device can implement the following functions by sending gratuitous ARP packets:
l Determining whether its IP address is already used by another device.
l Informing other devices of its MAC address change so that they can update their ARP entries.
A device receiving a gratuitous ARP packet can add the information carried in the packet to its own dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP packet in the cache.
ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose IP addresses cannot be resolved, the following consequences will be resulted in:
l The device sends large amounts of ARP request messages to the destination subnet, which increases the load of the destination subnet.
l The device continuously resolves destination IP addresses, which increase the load of the CPU.
To protect the device against this kind of attack, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable IP addresses that a host on the network sends to the device within five seconds exceeds the specified threshold, the device drops all subsequent packets with the same source IP address in another five coming seconds. This helps in protecting the device against the attack.
ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of the next hop. If the address resolution is successful, the forwarding chip forwards the packet directly. Otherwise, the device runs software for further processing. When large amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops arrive at a device, the software on the device will be called again and again and the CPU of the device will be overburdened. This is called IP packet attack.
To protect a device against IP packet attack, you can configure the ARP defense against IP packet attack function. After receiving an IP packet with the IP address of the next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the next hop), a device with this function creates a black hole route immediately and the forwarding chip simply drops all packets to the address. Note that a black hole route can get aged, in which case a subsequent IP packet with the same next hop triggers the above process. This protects the device against the IP packet attack efficiently, reducing the load of the CPU.
Proxy ARP
For an ARP request of a host on a network to be forwarded to an interface that is on the same network but isolated at Layer 2 or a host on another network, the device connecting the two physical or virtual networks must be able to respond to the request. This is achieved by proxy ARP.
Proxy ARP implements Layer 3 communication between interfaces isolated at Layer 2 or located on different networks.
In one of the following cases, you need to enable the local proxy ARP:
Devices connected to different isolated layer 2 ports in the same VLAN need to implement layer 3 communication.
With the super VLAN function enabled, devices in different sub VLANs need to implement layer 3 communication.
With the isolate-user-vlan function enabled, devices in different second VLANs need to implement layer 3 communication.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the MAC address of the destination host. To this end, the IP address must be resolved into the corresponding MAC address.
ARP Message Format
Figure 1 ARP message format
The following explains the fields in Figure 1.
Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet.
Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents IP.
Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”.
OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.
Sender hardware address: This field specifies the hardware address of the device sending the message.
Sender protocol address: This field specifies the protocol address of the device sending the message.
Target hardware address: This field specifies the hardware address of the device the message is being sent to.
Target protocol address: This field specifies the protocol address of the device the message is being sent to.
ARP Address Resolution Process
Figure 2 ARP address resolution process
Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping into its own ARP mapping table. This mapping is used for forwarding packets with the same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
l A permanent static ARP entry can be directly used to forward packets. When configuring a permanent static ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address and MAC address.
l A non-permanent static ARP entry cannot be directly used for forwarding data. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device sends an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the device adds the interface receiving the ARP reply into the static ARP entry. Now the entry can be used for forwarding IP packets.
Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and destination IP address are both the IP address of the sender, the source MAC address is the MAC address of the sender, and the destination MAC address is a broadcast address.
A device can implement the following functions by sending gratuitous ARP packets:
l Determining whether its IP address is already used by another device.
l Informing other devices of its MAC address change so that they can update their ARP entries.
A device receiving a gratuitous ARP packet can add the information carried in the packet to its own dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP packet in the cache.
ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose IP addresses cannot be resolved, the following consequences will be resulted in:
l The device sends large amounts of ARP request messages to the destination subnet, which increases the load of the destination subnet.
l The device continuously resolves destination IP addresses, which increase the load of the CPU.
To protect the device against this kind of attack, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable IP addresses that a host on the network sends to the device within five seconds exceeds the specified threshold, the device drops all subsequent packets with the same source IP address in another five coming seconds. This helps in protecting the device against the attack.
ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of the next hop. If the address resolution is successful, the forwarding chip forwards the packet directly. Otherwise, the device runs software for further processing. When large amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops arrive at a device, the software on the device will be called again and again and the CPU of the device will be overburdened. This is called IP packet attack.
To protect a device against IP packet attack, you can configure the ARP defense against IP packet attack function. After receiving an IP packet with the IP address of the next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the next hop), a device with this function creates a black hole route immediately and the forwarding chip simply drops all packets to the address. Note that a black hole route can get aged, in which case a subsequent IP packet with the same next hop triggers the above process. This protects the device against the IP packet attack efficiently, reducing the load of the CPU.
Proxy ARP
For an ARP request of a host on a network to be forwarded to an interface that is on the same network but isolated at Layer 2 or a host on another network, the device connecting the two physical or virtual networks must be able to respond to the request. This is achieved by proxy ARP.
Proxy ARP implements Layer 3 communication between interfaces isolated at Layer 2 or located on different networks.
In one of the following cases, you need to enable the local proxy ARP:
Devices connected to different isolated layer 2 ports in the same VLAN need to implement layer 3 communication.
With the super VLAN function enabled, devices in different sub VLANs need to implement layer 3 communication.
With the isolate-user-vlan function enabled, devices in different second VLANs need to implement layer 3 communication.
Thursday, November 6, 2008
How to Monitor Network Traffic
As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. This article is to discuss how we can monitor network traffic with Capsa's network traffic monitor feature.
Monitor network traffic in "Summary" tab
"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.
Monitor network traffic in "Summary" tab
"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.
Subscribe to:
Posts (Atom)
Posts
