All Blog Posts

PF_RING

Introducing PF_RING ZC support for Intel E810-based 100G adapters
Last year Intel announced a new family of 100 Gigabit network adapters, code-name Columbiaville. These new adapters, based on the new Intel Ethernet Controller E810, support 10/25/50/100 Gbps link speeds and provide programmable offload capabilities. Programmability 800 Series adapters implement new features to improve connectivity, storage protocols, and programmability, also thanks to the Dynamic Device Personalization (DDP) technology which adds support for a programmable pipeline. In fact, with DDP, a parser embedded in the controller can support the software parsing custom protocols and manipulating outgoing packets, paving the way to …
Cybersecurity

How to Detect Domain Hiding (a.k.a. as Domain Fronting)
Domain fronting is a technique that was used in 2010s by mobile apps to attempt to bypass censorship. The technique relies on a “front” legitimate domain that basically acts as a pivot for the forbidden domain. In essence an attacker performs a HTTPS connection where in the DNS (used to resolve the domain name) and TLS SNI the legitimate domain name is used, whereas inside the HTTP connection in the “Host” HTTP header it specifies the forbidden domain Recently at DEF CON 28 a new tool named Noctilucent has been …
n2n

Introducing n2n 2.8: Modern Crypto and Data Compression
This is to announce the release of n2n 2.8 stable. This release brings significant new features to n2n’s crypto world and offers some compression opportunities. Overall n2n performance has been greatly enhanced, reduced bandwidth usage thanks to data compression, and as state of the art security with new crypto options. The added support for routing table manipulation might increase comfort. Besides further honing existing features, this release addresses some bugs. New Features Two lightweight stream ciphers: ChaCha20 (optional, through OpenSSL) & SPECK (integrated) Full Header Encryption (including packet checksumming as …
Cybersecurity

Mice and Elephants: HowTo Detect and Monitor Periodic Traffic
Most people are used to top X: top senders, top receivers, top protocols. So in essence they are looking for elephants. While this is a good practice, mice are also very interesting as they can often be hidden in the noise. In cybersecurity noise is very good for attackers as they often try to hide themselves on it; this is in order to escape security. Many malware are programmed on a for loop fashion: do a), do b) do c) then go back to a) on an infinite loop. In …
News

July 16th and 24th: Community Meeting and Webinar Announcement
This month we’ll meet our community in two different events: When: Thursday, July 16th, 16:00 CET / 10 AM EST What: Live community meeting Where: Discord. You can read more here how to join on the public ntop voice channel for this live event. Abstract: Recently we have started to use discord as platform for interacting with our community in addition to telegram. The advantage of discord is the ability to combine text/voice/screen sharing so that we want to make an experiment, meet our users, let discuss with them, provide support. …
nDPI

Introducing nDPI Risk Analysis for (Cybersecurity) Network Traffic Analysis (was Ripple20)
Earlier last month Ripple20 became popular as it has listed some vulnerabilities found in a custom IP stack used by many IoT devices. Despite the hype on Ripple20, in essence the tool used to fingerprint vulnerable devices sends either malformed or valid (with some values in the allowed range albeit with values deprecated or obsolete) packets that are easy to catch (see Suricata and Zeek rules for detection). In essence IDS rules/scripts are checking whether packets sent on the wire are valid or if they contain unexpected values used by …
n2disk

Howto Build a 100 Gbit (Drop-Free) Continuous Packet Recorder using n2disk [Part 3]
In the first post of this series (part 1) we described how to build a 2×10 Gbit continuous packet recorder using n2disk and PF_RING, in the second post (part 2) we described what hardware is required to scale from 10 Gbit to 100 Gbit. One more year has past now and we matured more experience with 100 Gbit recording, it’s time to refresh the previous posts and share more information about the new capture and storage technologies and configurations in order to build a recorder able to dump 100+ Gbit line-rate small-packets sustained …
nDPI

Howto Identify and Block Telegram-based Botnets
Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you cannot block with a simple IP-based ACL) protocols. The popular Telegram messaging system allows people to create a bot in minutes as shown in the code excerpt below.   bot = Bot(token) def run(): """ …
ntop

ntop Tools Taxonomy
As sometime people is confused about the various options ntopng tools offer, this post is an attempt to clarify them in a single page. [table id=1 /] Enjoy! …
nDPI

Why Traffic Behaviour Analysis is Good (was Encrypting TLS 1.3 Traffic)
In the latest nDPI meetup, we have discussed future directions, including extending the current encrypted traffic analysis features. Currently nDPI supports both fingerprint and behaviour encrypted traffic analysis techniques to provide TLS traffic visibility. At ntop we have never liked too much fingerprinting techniques such as JA3 that are used by many popular IDSs and security tools, simply because they often lead to false positives making them a “nice to have” features but nothing more than that. Recently the IETF is designing a new TLS 1.3 extension named ECHO (Encrypted …
nDPI

How Lockdown Changed Corporate Internet Connectivity
Global lockdown has forced many people to work from remote: empty offices, all remote working until the emergency is over.   In essence during the lockdown remote workers used very few corporate services via VPN, with relatively light traffic (e.g. accounting) and the heavy videoconferencing traffic not propagating in the company networks: this as moderns videoconferencing solutions are all cloud based. So in essence moving to remote working has not put too much pressure on corporate networks beside the creation of VPN accounts or other limited changes. As you can …
Announce

Webinar: Network Monitoring in Post-Lockdown Days
This is to invite our community to a new webinar that will explain how we have enhanced ntopng to take into account network monitoring challenges due to global lockdown. In particular we will show how ntopng can be integrated with VPN and remote access systems, as well commercial firewall and security devices. This is to create a single monitoring console able to offer visibility even when most users are roaming or work from remote. For those who have not attended the webinar can watch the recording below. International Edition Tuesday …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe