Setup and configuration of NetDetector is simple. Administrators turn on the device, configure the network settings, and the tool is ready to go. To test DDoS attacks, we configured a traffic threshold alert and launched an attack that exceeded that threshold against a system on the test network. NetDetector sent us an e-mail alert telling us about the possible attack. We then examined the packets to find the source of the attack.
NetDetector takes a three-step approach to DDoS attacks. First, using a Web interface, the administrator establishes policies for the traffic volume on the network. These can be based on historical data or on statistical analysis available from the Traffic Recorder on the NetDetector. Second, when NetDetector detects traffic exceeding the defined thresholds, it alerts the administrator via e-mail, screen alert, or SNMP trap. Third, an administrator can verify and investigate the attack using NetDetector's Traffic Analysis screen. The administrator can determine exactly what type of traffic is being launched against the network (such as UDP packets on port 80) and take appropriate action to defend against the attack.
In addition to its DDoS capabilities, administrators can establish alerts for almost any type of network connection and can monitor for IP address spoofing, port scans, host scans, and even unknown protocols. NetDetector can also be used to implement corporate policies. If the organization has a policy prohibiting large e-mail attachments, NetDetector can monitor SMTP traffic for large attachments. The same monitoring can be used with FTP connections.
Another option is to control Web connections. If your organization needs to control network bandwidth and utilization and wants to set a maximum number of open Web connections per employee, NetDetector can watch for this. Because it records all traffic, NetDetector is only limited by your creativity in creating alerts.
To test this feature, we configured the system to alert us whenever a port scan was detected. We then ran a port scan against a machine and received the e-mail alert we had requested. We also used the application reassembly feature to see the network traffic our port scan created. NetDetector allows you to play back the session of any TCP application (including SMTP, FTP, Telnet, and HTTP).
NetDetector is a versatile network analysis tool that can alert you to threats ranging from intrusions to DDoS attacks. It reduces investigation time for network and system attacks and should be considered for any environment under constant attack.