nDPI Flow Risks

nDPI is designed not just to detect application protocols in traffic flows but also to evaluate potential security risks associated with the traffic. In nDPI parlance this is called a “flow risk”. Flows can have multiple risks detected hence nDPI reports them with a bitmap. Each risk detected corresponds to a bit in the flow risk bitmap. You can read more about ndpi_risk_enum for the list of all numeric risks currently supported.

Below you can find a description of each flow risk so that you can easily understand when a risk is triggered and its meaning. The flow risks are listed in numerical order as they are defined in ndpi_risk_enum.

NDPI_URL_POSSIBLE_XSS

HTTP only: this risk indicates a possible XSS (Cross Side Scripting) attack.

NDPI_URL_POSSIBLE_SQL_INJECTION

HTTP only: this risk indicates a possible SQL Injection attack.

NDPI_URL_POSSIBLE_RCE_INJECTION

HTTP only: this risk indicates a possible RCE (Remote Code Execution) attack.

NDPI_BINARY_APPLICATION_TRANSFER

HTTP only: this risk indicates that a binary application is downloaded/uploaded. Detected applications include Windows binaries, Linux executables, Unix scripts and Android apps.

NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT

This risk indicates a known protocol used on a non standard port. Example HTTP is supposed to use TCP/80, and in case it is detected on TCP/1234 this risk is detected.

NDPI_TLS_SELFSIGNED_CERTIFICATE

TLS/QUIC only: this risk is triggered when a self-signed certificate is used.

NDPI_TLS_OBSOLETE_VERSION

Risk 0triggered when TLS version is older than 1.1.

NDPI_TLS_WEAK_CIPHER

Risk 0triggered when an unsafe TLS cipher is used. See this page for a list of insecure ciphers.

NDPI_TLS_CERTIFICATE_EXPIRED

Risk 0triggered when a TLS certificate is expired, i.e. the current date falls outside of the certificate validity dates.

NDPI_TLS_CERTIFICATE_MISMATCH

Risk 0triggered when a TLS certificate does not match the hostname we’re accessing. Example you do http://www.aaa.com and the TLS certificate returned is for www.bbb.com.

NDPI_HTTP_SUSPICIOUS_USER_AGENT

HTTP only: this risk is triggered whenever the user agent contains suspicious characters or its format is suspicious. Example: <?php something ?> is a typical suspicious user agent.

NDPI_HTTP_NUMERIC_IP_HOST

HTTP only: this risk is triggered whenever we’re accessing a host using its IP rather than its symbolic name. Example http://1.2.3.4.

NDPI_HTTP_SUSPICIOUS_URL

HTTP only: this risk is triggered whenever the accessed URL is suspicious. Example: http://127.0.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe.

NDPI_HTTP_SUSPICIOUS_HEADER

HTTP only: this risk is triggered whenever the HTTP peader contains suspicious entries such as Uuid, TLS_version, Osname that are unexpected on the HTTP header.

NDPI_TLS_NOT_CARRYING_HTTPS

TLS only: this risk indicates that this TLS flow will not be used to transport HTTP content. Example VPNs use TLS to encrypt data rather to carry HTTP. This is useful to spot this type of cases.

NDPI_SUSPICIOUS_DGA_DOMAIN

A DGA is used to generate domain names often used by malwares. This risk indicates that this domain name can (but it’s not 100% sure) a DGA as its name is suspicious.

NDPI_MALFORMED_PACKET

This risk is generated when a packet (e.g. a DNS packet) has an unexpected formt. This can indicate a protocol error or more often an attempt to jeopardize a valid protocol to carry other type of data.

NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER

This risk is generated whenever a SSH client uses an obsolete SSH protocol version or insecure ciphers.

NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER

This risk is generated whenever a SSH server uses an obsolete SSH protocol version or insecure ciphers.

NDPI_SMB_INSECURE_VERSION

This risk indicates that the SMB version used is insecure (i.e. v1).

NDPI_TLS_SUSPICIOUS_ESNI_USAGE

SNI is a way to carry in TLS the host/domain name we’re accessing. ESNI means encrypted SNI and it is a way to mask SNI (carried in clear text in the TLS header) with encryption. While this practice is legal, it could be used for hiding data or for attacks such as a suspicious domain fronting.

NDPI_UNSAFE_PROTOCOL

This risk indicates that the protocol used is insecure and that a secure protocol should be used (e.g. Telnet vs SSH).

NDPI_DNS_SUSPICIOUS_TRAFFIC

This risk is returned when DNS traffic returns an unexpected/obsolete record type.

NDPI_TLS_MISSING_SNI

TLS needs to carry the the SNI of the remote server we’re accessing. Unfortunately SNI is optional in TLS so it can be omitted. In this case this risk is triggered as this is a non-standard situation that indicates a potential security problem or a protocol using TLS for other purposes (or a protocol bug).

NDPI_HTTP_SUSPICIOUS_CONTENT

HTTP only: risk reported when HTTP carries content in expected format. Example the HTTP header indicates that the context is text/html but the real content is not readeable (i.e. it can transport binary data). In general this is an attempt to use a valid MIME type to carry data that does not match the type.

NDPI_RISKY_ASN

This is a placeholder for traffic exchanged with ASN that are considered risky. nDPI does not fill this risk that instead should be filled by aplications sitting on top of nDPI (e.g. ntopng).

NDPI_RISKY_DOMAIN

This is a placeholder for traffic exchanged with domain names that are considered risky. nDPI does not fill this risk that instead should be filled by aplications sitting on top of nDPI (e.g. ntopng).

NDPI_MALICIOUS_JA3

JA3 is a method to fingerprint TLS traffic. This risk indicates that the JA3 of the TLS connection is considered suspicious (i.e. it has been found in known malware JA3 blacklists). nDPI does not fill this risk that instead should be filled by aplications sitting on top of nDPI (e.g. ntopng).

NDPI_MALICIOUS_SHA1_CERTIFICATE

TLS certificates are uniquely identified with a SHA1 hash value. If such hash is found on a blacklist, this risk can be used. As for other risks, this is a placeholder as nDPI does not fill this risk that instead should be filled by aplications sitting on top of nDPI (e.g. ntopng).

NDPI_DESKTOP_OR_FILE_SHARING_SESSION

This risk is set when the flow carries desktop or file sharing sessions (e.g. TeamViewer or AnyDesk just to mention two).

NDPI_TLS_UNCOMMON_ALPN

This risk is set when the ALPN (it indicates the protocol carried into this TLS flow, for instance HTTP/1.1) is uncommon with respect to the list of expected values.

NDPI_TLS_CERT_VALIDITY_TOO_LONG

From 01/09/2020 TLS certificates lifespan is limited to 13 months. This risk is triggered for certificates not respecting this directive.

NDPI_TLS_SUSPICIOUS_EXTENSION

This risk is triggered when the domain name (SNI extension) is not printable and thus it is a problem.

NDPI_TLS_FATAL_ALERT

This risk is triggered when a TLS fatal alert is detected in the TLS flow. See this page for details.

NDPI_SUSPICIOUS_ENTROPY

This risk is used to detect suspicious data carried in ICMP packets whose entropy (used to measure how data is distributed, hence to indirectly guess the type of data carried on) is suspicious and thus that it can indicate a data leak.

NDPI_CLEAR_TEXT_CREDENTIALS

Clear text protocols are not bad per-se, but they should be avoided when they carry credentials as they can be intercepted by malicious users. This risk is triggered whenever clear text protocols (e.g. FTP, HTTP, IMAP…) contain credentials in clear text (read it as nDPI does not trigger this risk for HTTP connections that do not carry credentials).

NDPI_DNS_LARGE_PACKET

DNS packets over UDP should be limited to 512 bytes. DNS packets over this threshold indicate a potential security risk (e.g. use DNS to carry data) or a misconfiguration.

NDPI_DNS_FRAGMENTED

UDP DNS packets cannot be fragmented. If so, this indicates a potential security risk (e.g. use DNS to carry data) or a misconfiguration.

NDPI_INVALID_CHARACTERS

The risk is set whenever a dissected protocol contains characters not allowed in that protocol field. For example a DNS hostname must only contain a subset of all printable characters or else this risk is set. Additionally, some TLS protocol fields are checked for printable characters as well.