1

CURELAN TECHNOLOGY Co., LTD

Flowviewer FM-800A

CURELAN TECHNOLOGY Co., LTD

www.CureLan.com

2

FM-800A Main Functions

Netflow or sFlow report functions. (including P2P report)

Worm Scan and P2P block functions.

Able to automatically write the ACL or directly use the FM-800A

to scan, detect and block worm IP.

Contains the Traffic Quota function (IPv4 & IPv6) and traffic

monitor search.

FM-800A Main Functions

Automatically detects and reports any UDP Flood and

DOS relay attack.

Automatically detects and reports SSH and RDP

password scan function.

Able to support IPv6.

The Flowviewer device has both Hardware and

Software Bypass function in Inline mode.

3

Hacking Methods

1.SSH Route

2.RDP Route

3.Microsoft bugs, C++ bugs, Java bugs, etc. (This type

of attack is unpreventable. You can only wait for an

update to remove the bug.)

4

Defense Methods

If a hacker uses the 3rd way to slip a virus onto your

computer and disables the intranet, how can you

defend yourself against an attack?

1.UDP Flood Attacks：

2.DOS Relay Attacks：

FM-800A supports the auto block function in UDP Flood

attacks and DOS relay attacks.

5

6

IPS Product Weak Points

Focuses and supports the IPS product’s weak point to

prevent against the unknown worm attack. (The worm’s

pattern has not been recognized yet)

Ex: The Panda Burning Joss Sticks virus was popular in

2006-2007. The virus infected many computers and

disabled a numerous amount of intranet around the world.

IPS:Intrusion Prevention System

7

Whenever a PC is turned on, the worm has the ability to attack.

The worm can also spread to other PC’s and make a large

number of sessions(flows) to disable to the intranet.

If your PC contains a worm, how come your antivirus software

cannot dispose of it?

First, worms and viruses have different patterns. The worm tends to

make large sessions.

Second, some worm mutations are too quick to be found while others can

even shut down the antivirus software. That is why antivirus software

cannot deal with worms.

IPS Weak Points (Continued)

8

IPS Weak Points (intranet to intranet)

Most of the IPS products and software can defend attacks from

“internet to intranet” and “intranet to internet”. However, IPS

products and software cannot protect against “intranet to

intranet.”

In the “intranet to intranet” situation, the hacker has a high

chance to gain administrative privilege and control over the

server and admin root. High chances include user using Wi-Fi,

USB, etc.

These are the problems with IPS and antivirus software.

9

Workgroup Switches

Core Switch

DMZ

2 3

Flowviewer FM-800A

1

Campus Network Internet

Mail Server DNS/Web Server

Inline

mode

SPAN mode

Using three-layer structure to solve the problem

of attack and protect permission.

got a virus

Anti-Virus S/W

End to End S/W

IPS/IDS/UTM

Wi-Fi AP

USB

smartphone

10

Comparison Chart between Flowviewer, IPS and

Spyware Type Flowviewer IPS spyware

Installation Type In-line / Listen In-line Each PC

Default Type NBAD (Network

Behavior Abnormal

Detection)

Pattern Pattern

When the

Intranet is being

attacked

Uses NBAD to

automatically find and

block the attack by

writing ACL to core

switch or the FM-800A

itself.

Only focuses on

“Intranet to Internet”.

Cannot find the

attack from the

Intranet.

It can only be used by

pattern. If pattern updates

too fast or the worm is

unknown, then it is useless.

Flow, IP, Port

Traffic Quota

Search and

Report

Internet Intranet

Intranet Internet

Intranet Intranet

Only focus on “Inter

to Intra” and

sometimes “Intra to

Inter”

X

11

Comparison Chart between FM-800A, IPS and

Spyware Type Flowviewer IPS spyware

IP/Port Search at

any time

We can focus on the times

of Source IP, Destination

IP, Protocol Source IP,

Destination Port, flow

direction

X X

P2P Types 14 types include 24

programs (even if those

programs update, we can

still find and block them)

Uses patterns for

defense. If the P2P

programs update, the

IP’s can’t block

successfully.

X

Processor Speed 6 seconds (30Mbps ~

3Gbps)

> 20 minutes

(30Mbps)

X

Introduce product Major functions

Quota Management function and current traffic monitor.

peer-to-peer (P2P) filter.

P2P Report.

Netflow or sFlow traffic report.

worm detection(NBAD).

Automatic block infected IPs from L3 Switch by ACL .(for Cisco, Foundry, Alcatel,

Extreme) or Automatic block by flowviewer.

SSH Password Guess Attacks Report.

RDP Password Guess Attacks Report.

List of Possible UDP Flood Attacks Report.

SSH Password Guess Detection and Blocking. Blocking method: Block by flowviewer .

RDP Password Guess Detection and Blocking. Blocking method: Block by flowviewer .

UDP Flood Detection and Blocking. Blocking method:Apply ACL command to core

switch.

12

Introduction of traffic quota control

In campus, this function maybe use to control the network traffic on the dorm. For

government or enterprise, the function can be according to the position to limit the

network traffic. Therefore, those people who really need can get more network

bandwidth for using.

While user quota exceed, the quota manager can: (1) Blocking(Block the user’s IP

address). (2) Bandwidth limit(Rate limit). P S: Bandwidth limit and Block IP at the

same time at the same time in exist.

Can not increase the bandwidth to go to solve network traffic problems.

13

Traffic Monitor Function introduction

Traffic Monitor can monitor current traffic, include total up/down/bi-

direction traffic, current up/down/bi-direction speed and peak up/down/bi-

direction speed.

14

P2P function(Inline Mode)

P2P filter function using Patterns to recognize the P2P traffic, include Bit

Torrent, Apple Juice, PPS and instant message.

To use peer-to-peer (P2P) software usually has the tort involved. Especially in

campus, students use peer-to-peer (P2P) to download the illegal software.

Therefore, the administrators always feel disturbed to receive the investigation

notice from the police. On the other hand, government and the enterprise,

using peer-to-peer software also reduced the intranet efficacy.

15

P2P Report

Only Flowviewer FM-200A/600A/800A have this feature.

This feature provide the report of users that using P2P software.

Only Flowveiwer series have P2P Report function; the other similar

products just have peer-to peer (P2P) filter function.

Some of the users still keep using peer-to-peer software; they usually

disregard the P2P software has been not allowable to download. Thus, use

P2P Report function can let the administrator to know who is using the

peer-to peer (P2P) software.

16

Netflow or sFlow traffic report

In particular, Realtime Query function can track certain IP history and criminal

records the administrator wants. Any department needs this function.

Any products that are equipped with this function are extremely expensive,

flowviewer series does not only offer a better price but also a better performance.

17

18

Real-time Query

The query result from May 22, 2013 11:00 to May 22, 2013 17:30 and source IP is 140.xxx.xxx.5. Next Zoom In 66.249.77.225.

Zoom in 321 flows result

The destination IP (66.249.77.225 ) zoom in result.

19

20

Support IPv6

Support IPv6

21

Hacker Attacks

Hacker attack includes Worm, SSH Password Guess Attacks, RDP

Password Guess Attacks, UDP Flood Attacks, DOS Relay Attacks etc.

Of which, the RDP Password guess Attacks detection function is unique and

available only in Flowviewer. This unique function is the work of Curelan

Company after discovering that most hackers use this route to insert Trojan

horse.

The difference between Flowview and IPS(Intrusion Prevention System)?

IPS(Intrusion Prevention System) needs update on its virus code (Pattern)

but Flowviewer uses Network Behavior Anomaly Detection(NBAD) and

therefore does not require any updates.

22

Exclusive technology : RDP Attacks

23

On 2012/6/4, RDP Attack detect function detect the hacker from 222.133.38.22 (Src IP) want to

break in 140.XXX.101.4(Dst IP). (FM-200A does not include this function, FM-600A have detect

function but no block function, FM-800A has both detect and block function.)

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides

a user with a graphical interface to another computer. Clients exist for most versions of Microsoft

Windows (including Windows Mobile), Linux, Unix, Mac OS X, Android, and other modern

operating systems.

Spear Phishing is no solution

Vulnerable targets for hackers include government agencies,

private companies, educational institutes and military units.

No defensive product in the world can ever protect one from

all attacks, for example, Trojan horse attached during Spear

Phishing and P2P download is unsolvable. Luckily, server

equipment does not receive and send mails and use P2P

download automatically, therefore any action of this kind is

from a personal computer. Most hackers’ hacks into one

computer and use the intranet to attack other IP until he

finds the server equipment IP that allows access to

confidential data. This IP could also become a relay attack to

other external Botnet.

24

Hacker steals confidential data of file server

Flowveiwer has solution

Most intranet attacks goes through the RDP route, Flowviewer system can

detect and automatically send ACLs (Access Control List Entries) to Core

Switch (Layer 3) to prevent attack. As seen below: List of Possible RDP

Attacks report, Number 3,5,6and 7 are the intranet attack described.

Maybe number 3,5,6 and 7 are Spear Phishing attacks from intranet.

25

SSH Password Guess Attacks Report

Hacker attacks goes through the SSH route, Flowviewer system can detect

and automatically send ACLs (Access Control List Entries) to Core Switch

(Layer 3) to prevent attack. As seen below: List of Possible SSH Attacks

report.

26

Hackers relay attack

UDP Flood attacks is currently the most efficient method in paralyzing

websites or specific IP. As seen from below, this unit have been relayed to

attack external IP 202.76.238.123.

140.xxx.xxx.239 is internal IP.

27

Floveiwer FM-800A can block automatically

Flowviewer FM-800A can automatically stop the SSH Password Guess Attacks,

RDP Password Guess Attacks, UDP Flood Attacks and DOS Relay Attacks , by

sending ACLs (Access Control List Entries) to Core Switch (Layer 3). As we

can see, the target company includes Cisco, Foundry, Alcatel and Extreme etc.

28

Built-in standard feature with the difference

functionality table

29

Flowviewer Type FM-200A/AS FM-600A/AS FM-800A

peer-to-peer (P2P) filter Yes Yes Yes

P2P Report Yes Yes Yes

Quota Management function and current

traffic monitor

Yes Yes Yes

Netflow or sFlow traffic report Yes Yes Yes

worm detection(NBAD) Yes Yes Yes

Automatic block infected IPs from L3

Switch by ACL

Yes Yes Yes

SSH Password Guess Attacks Report No Yes Yes

RDP Attack Report No Yes Yes

Automatic block SSH Password Guess

Attacks

No No Yes

Automatic block RDP Attacks No No Yes

UDP Flood Attack Detection Report No Yes Yes

Automatic block UDP Flood Attack

Detection

No No Yes

Public Report(Hyperlinks) Yes Yes Yes

Telecom Solutions

Most telecom Company provides IDC(Internet Data Center)

and the IDC service provides customer website the ability to

detect DDoS（Distributed Denial of Service）attack.

Therefore, detecting UDP Flood Attacks become the most

important function. Flowviewer FM-800A has the ability to

accurately detect hacker’s IP and send ACLs (Access Control

List Entries) to Core Switch (Layer 3) that cuts off UDP Flood

Attacks and prevent IDC(Internet Data Center) customer

website or business application server from paralyzing.

30

UDP Flood Attacks, real case

Below is a successful example of Flowviewer FM-800A detecting the attack

from external IP(140.xxx.xxx.183) to an university in Taiwan.

If Telecom Company has Flowviewer FM-800A. This device can protect IDC

client to rescue hacker attacks.

31

Our reference sites Important Customer:

National Center for High-Performance Computing

l Main Service : Cross-Campus WLAN Roaming

Mechanism.

l Our Product–Flowivewer–use netflow traffic report

feature to trace IPs that controlled by Botnet and notify

the administrators who’s in charge of the IP address.

School:

National Chung Hsing University (NCHU)

National Kaohsiung Marine University

National pingtung University of Science&Technology

I-Shou University

National University of Tainan

National Taichung University

WuFeng University

Nanya Institute of Technology

Ling Tung University

National Taichung Nursing College

Military:

Chung Cheng Armed

Preparatory School

National Defense

University

R.O.C Military Academy

Government:

Kaohsiung City

Government

Taitung County

Government

Financial Supervisory

Commission, Financial

Examination Bureau

Other: Show Chwan Memorial

Hospital﹐ega International

Commercial Bank, Fist

32

Customers

33

34

Demo site for Flowviewer FM-800A device

http://140.130.102.146

Account: guest

Password: 1234

35

Contact us

Office：15F-1, No,255, Jiuru 2nd rd., Sanmin

District, Kaohsiung City 807, Taiwan(R.O.C)

TEL:+886-7-311-5186

FAX:+886-7-311-5178

Email: blue@curelan.com

eagle@curelan.com

aria@curelan.com

Website : www.curelan.com