Problem solve Get help with specific problems with your technologies, process and projects.

Fight viruses and hack attacks with a network analyzer

Because firewalls and other security measures are not failsafe, you need additional tools. A network analyzer can help.

Charles Thompson

Because firewalls and other defensive security measures are not failsafe, you need additional tools to detect and respond to security breaches as they occur. A network analyzer can detect known (and even some unknown) virus attacks and make the cleanup process much more efficient.

A protocol analyzer shows you what is happening on your network by decoding the different protocols that devices on the network use to communicate and presenting the results in human-readable form. Most mature analyzers also include some statistical reporting functionality. The usefulness of such a tool for day-to-day troubleshooting is obvious; less obvious (and therefore underutilized) is how essential an analyzer becomes when responding to security threats such as hacker intrusions, worms, and viruses.

Every administrator of a corporate LAN of any size these days has already built strong defenses against hackers and virus attacks. But the viruses and hackers continue to get through. Why? Anti-virus and IDS systems are designed to prevent the incursion of known viruses and attacks. The hackers and "script kiddies" have the same access to all the threat bulletins and Windows patches that you have, and are always looking for the new vulnerabilities. In short, your firewalls and operating systems often won't get a patch until the damage is already done.

Imported disks, deliberate actions by employees, and visitors bringing in infected laptops are some other weak spots in your security system that perimeter defenses alone cannot address. A good network analyzer can both help you detect when breaches have already occurred and make the cleanup and recovery far less painful once a breach has been identified.

For example, network administrator Mark Giorgis uses an Observer protocol analyzer made by Network Instruments to monitor the network at Long Beach Transit (LBT) in Long Beach, California. LBT provides transportation to over 27 million people annually. In the spring of 2003, LBT was hit with the W32 Welchia worm. The worm crippled the network, infecting about 75% of the systems. With his network analyzer, Giorgis quickly identified the infected systems, saving valuable time.

"I looked at Observer, looked at my Top Talkers, captured and decoded some packets, and bingo," said Giorgis. "With the packet decode screen, I quickly recognized a pattern of ascending values in the last octet of the destination IP address. This helped me identify which systems were infected."

Viruses and hacker attacks typically generate a recognizable pattern or "signature" of packets. A network analyzer can identify these packets and alert the administrator to their presence on the network via e-mail or page. Most analyzers let you set alarms to be triggered when a particular pattern is seen. Some analyzers can be programmed to send an e-mail or page when these conditions are met.

The very nature of viruses and worms is to produce unusual levels of network traffic. High frequency of broadcast packets or specific servers generating an unusual number of packets are logged in the analyzer's record of longer term traffic, allowing the administrator to follow up on suspicious traffic patterns.

The analyzer can also help in identifying inappropriate traffic that may leave your network open to attack or may signify potential weaknesses. This would vary with the particular network or corporate policy, but could include automatic notification of traffic such as MSN, NNTP or outbound Telnet. To be useful as a corporate security tool, the analyzer must be "distributed" so that it covers all the areas of your network. It must also be able to capture and decode all of the protocols from all of the media (Ethernet, WAN, 802.11, etc.) over which your corporate data flows.

A quick response to a breach can mean the difference between an inconvenience for a few users and a disaster for your company. Look for an analyzer that can be configured to e-mail or page you when the virus or hacker attack is sensed.

Network analyzers will never replace your firewall, anti-virus software or intrusion-detection system. However, because it is not possible for these precautions to be completely effective, you cannot maintain the security of your network without a network analyzer. A good analyzer alerts you when the other defenses have failed, and takes much of the pain out of identifying, isolating, and cleaning up compromised machines. Considering the general troubleshooting and monitoring features included "for free" in such tools, the decision to purchase a comprehensive analyzer with network security features is easily justified.

About the author:
Charles Thompson, Senior Systems Engineer for Network Instruments, LLC (, works with the Network Instruments sales organization to provide technical expertise and in-depth product information to enterprise accounts. Network Instruments is a developer of network management, analysis and troubleshooting solutions. Charles can be reached at 952-932-9899 x234 or

This was last published in May 2004

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.