Author: admin

  • Home
  • Articles by: admin
nDPI

How Great Hashing Can (More Than) Double Application Performance
Most ntop applications (ntopng, nProbe, Cento) and libraries (FT) are based on the concept of flow processing, that merely means keeping track of all network communications. In order to implement this, network packets are decoded and, based on a “key” (usually a 5-tuple consisting of protocol and src/dst IP and port), clustered into flows (other keys such as VLAN can be added if necessary). This usually requires a lookup in an hash table, by using an hash function to translate the key into an index for an array with collision …
News

September Webinars: ntopng Scripting and API Integrations
Save the date! Two webinars have been planned for the cycle of this month. We start on Thursday, September 17th, 16:00 CEST / 10 AM EST, with “How to Write an ntopng Plugin“. In this workshop, we will see how to create an ntopng Lua plugin to generate alerts and opportunely update the ‘score’ indicator of compromise for hosts and flows. During the workshop, we will walk the audience through a typical workflow which can then be reused to write any kind of plugin. We will start with a simple …
nDPI

Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng
Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance nDPI to detect these protocols and enhance ntopng, our monitoring console, to visualize this traffic by providing enhanced protocol dissection on top of which alerts can be triggered. To date, nDPI supports modbus, DNP3 and …
Cybersecurity

How Attack Mitigation Works (via SNMP)
One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together. For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. This enables ntopng to effectively perform correlations and observe: The behavior of IP addresses (e.g., Is this IP known to be blacklisted?) The MAC addresses carrying IP traffic around in the network The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with …
Cybersecurity

How to Detect Domain Hiding (a.k.a. as Domain Fronting)
Domain fronting is a technique that was used in 2010s by mobile apps to attempt to bypass censorship. The technique relies on a “front” legitimate domain that basically acts as a pivot for the forbidden domain. In essence an attacker performs a HTTPS connection where in the DNS (used to resolve the domain name) and TLS SNI the legitimate domain name is used, whereas inside the HTTP connection in the “Host” HTTP header it specifies the forbidden domain Recently at DEF CON 28 a new tool named Noctilucent has been …
n2n

Introducing n2n 2.8: Modern Crypto and Data Compression
This is to announce the release of n2n 2.8 stable. This release brings significant new features to n2n’s crypto world and offers some compression opportunities. Overall n2n performance has been greatly enhanced, reduced bandwidth usage thanks to data compression, and as state of the art security with new crypto options. The added support for routing table manipulation might increase comfort. Besides further honing existing features, this release addresses some bugs. New Features Two lightweight stream ciphers: ChaCha20 (optional, through OpenSSL) & SPECK (integrated) Full Header Encryption (including packet checksumming as …
Cybersecurity

Mice and Elephants: HowTo Detect and Monitor Periodic Traffic
Most people are used to top X: top senders, top receivers, top protocols. So in essence they are looking for elephants. While this is a good practice, mice are also very interesting as they can often be hidden in the noise. In cybersecurity noise is very good for attackers as they often try to hide themselves on it; this is in order to escape security. Many malware are programmed on a for loop fashion: do a), do b) do c) then go back to a) on an infinite loop. In …
News

July 16th and 24th: Community Meeting and Webinar Announcement
This month we’ll meet our community in two different events: When: Thursday, July 16th, 16:00 CET / 10 AM EST What: Live community meeting Where: Discord. You can read more here how to join on the public ntop voice channel for this live event. Abstract: Recently we have started to use discord as platform for interacting with our community in addition to telegram. The advantage of discord is the ability to combine text/voice/screen sharing so that we want to make an experiment, meet our users, let discuss with them, provide support. …
nDPI

Introducing nDPI Risk Analysis for (Cybersecurity) Network Traffic Analysis (was Ripple20)
Earlier last month Ripple20 became popular as it has listed some vulnerabilities found in a custom IP stack used by many IoT devices. Despite the hype on Ripple20, in essence the tool used to fingerprint vulnerable devices sends either malformed or valid (with some values in the allowed range albeit with values deprecated or obsolete) packets that are easy to catch (see Suricata and Zeek rules for detection). In essence IDS rules/scripts are checking whether packets sent on the wire are valid or if they contain unexpected values used by …
nDPI

Howto Identify and Block Telegram-based Botnets
Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you cannot block with a simple IP-based ACL) protocols. The popular Telegram messaging system allows people to create a bot in minutes as shown in the code excerpt below.   bot = Bot(token) def run(): """ …
ntop

ntop Tools Taxonomy
As sometime people is confused about the various options ntopng tools offer, this post is an attempt to clarify them in a single page. [table id=1 /] Enjoy! …
nDPI

Why Traffic Behaviour Analysis is Good (was Encrypting TLS 1.3 Traffic)
In the latest nDPI meetup, we have discussed future directions, including extending the current encrypted traffic analysis features. Currently nDPI supports both fingerprint and behaviour encrypted traffic analysis techniques to provide TLS traffic visibility. At ntop we have never liked too much fingerprinting techniques such as JA3 that are used by many popular IDSs and security tools, simply because they often lead to false positives making them a “nice to have” features but nothing more than that. Recently the IETF is designing a new TLS 1.3 extension named ECHO (Encrypted …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe