ELLIO for ntopng: HowTo Prevent CyberAccidents Using Blacklists

Posted · Add Comment

Time is one of the main problems in cybersecurity. Detecting issues after they have happened can cost you money and resources to restore the system. Network traffic monitoring tools have as goal to show what is happening on a network.  Traditionally, monitoring protocols such as IPFIX/NetFlow export monitoring data periodically and often limit their analysis to the protocol header, thus the flow collector is partially blind as it is informed after a certain event happened with limited contextual information. In ntop tools we operate in real-time with pre-labelled information thanks to nDPI that is able to mark flows with cyberscore and risk information.

However with this approach we’re real-time but late, as the goal is to prevent accidents at the first packet received. In other words when host X contacts our network, we do not need to wait until X makes something wrong to label it as “attacker” and thus block it, but we need to block it before it can contact our network. Traditionally many people use IDSs (Intrusion Detection Systems) for this purpose but they are effective as long as they have a signature for a threat (what about zero-day attacks?), and even if they operate in real-time they can be used to block X after it has created a problem.

At ntop we have spent the last couple of years studying how blacklists can be used to mitigate this problem, and we’re happy to announce that we have teamed up with ELLIO, a Czech cybersecurity company active in threat prevention, for the purpose of extending ntop tools with ELLIO blacklists. We’ve used them for more than one year on production networks, and verified that they are really effective, for both incident prevention and traffic analysis.

Inside ntopng we have integrated the ELLIO community feed, a free (for non commercial use) and n effective blacklist updated daily containing a long list (~220k IPs as of today) of low-reputation IPs.

For professionals, ELLIO has created a special blacklist for ntopng that is updated every 5 minutes and that contains a list of malicious IPs used for mass exploitation, botnets, generic attacks, and other malicious activities that hits your network. Using this feed with ntopng you can be promptly alerted when a suspicious IP contacts your network, or you can block all these attacks if you use ntopng Edge.

Enjoy !