What’s New in ntopng: Periodic Activities (a.k.a beaconing) !

Posted · Add Comment

Hello everybody!

Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback!

Today we are going to talk about the Periodicity Map.

You are probably asking yourself what’s so bad about periodic activities, right? First of all, let’s take a look at the Periodicity Map and what are the contained information.

What we can see here is:

  • The last seen – last time ntopng has seen a periodic activity (flow)
  • The quintuplet – which is used to identify the flow and consists of client IP, server IP, server port and protocol (Transport and Application protocols)
  • The number of observations
  • The frequency of the observations

One other important information that you can see in this page is towards whom the most periodic flows are.

What is nice here is that you can configure ntopng to send an alert whenever a new Periodic Activity shows up in the network, by enabling the corresponding alert as shown in the picture below.

Let’s jump back to the first question, what’s so bad about periodic activities?

There are many cases in which periodic activities are not legit or expected, this is for instance the case of BotNet activities (an overlay network of machines infected by malicious software and controlled as a group without the owners’ knowledge, e.g. to send spam or launch DDoS attacks).

A BotNet needs to constantly monitor the infected hosts to see if they are available or not, or to check for new commands, and here comes in hand the Periodicity Map. By finding the presence of periodic flows in your network, ntopng is able to detected these kinds of attacks!

Awesome isn’t it? ;)