Subnets

After spending a few hours issuing queries against tcpdump and trying to look at different statistics of the data, we decided to develop a parser that would take tcpdump output and put it into a MySQL[17] database. The parser can be found on the AfterGlow[14] Web page along with all the scripts to generate the graphs in this paper.

To further understand the environment we are dealing with, it would be helpful to know what subnets are behind all the three devices. Figure 2.2 shows a communication graph. All IP addresses are aggregated into A classes. This gives us a first and rough understanding of the address spaces and the topology^2.4.

Figure 2.2: Topology showing IP subnets (circles, summarized in A classes) and their border devices (boxes). The arrows indicate the direction of traffic from the device. An arrow leaving a device (box) indicates that traffic targeted this subnet. An arrow entering a device (box) indicates traffic originating from this subnet (circle).

Looking at Figure 2.2^2.5, we see a few interesting things:

• 00:00:c0:6b:e9:c6 only shows packets that enter its network (arrows only point away from the device). This supports our finding that this machine is an end system. The mystery is that it has three different IP addresses.
• Some address spaces only show up as sources (red nodes), some as destinations (white nodes) and most of them as both (blue nodes). This seems interesting in the sense that we are looking at snort logs and would not expect to see rules triggering for incoming and outgoing traffic to and from the same subnets. Normally we would expect to get mainly incoming attack events from aggressors in the Internet.
• Some subnets on the external network do only show up as targets (white nodes). That means snort either generated false alarms or internal machines are attacking the outside. In Section 3, we will further analyze this.