Ourmon to detect UDP Flood
Using graph to detect anomaly has been one of the great features in Ourmon. This is an example why it is great.
If you have been following this blog, you will notice I have 2 posts (including this) that have the strange traffic spike in the nighttime, and it also means that it is good time to attack when everyone is sleeping.
So, there was UDP flood attack on my network in the nighttime yesterday. By checking on Ourmon graphs and reports, I could identify the attack almost immediately without running any other tools.
This is how I identified the UDP flood attack, normally my network will not generate high UDP traffic.
Do you notice the TCP traffic spike from 2100 to 2200 which is marked in Pink color? I used the same method which I have mentioned previously to check the traffic spike with Argus. It was a inter network file transfer which was running at load 19,001,224 (bits/sec).
Notice the high port ICMP unreachable?
From UDP Top report, I could see when and which IP launched UDP flood attack, and the time of the attack was stopped.
From UDP summarization Top Source IP report:
It is nice that we have not seen any large UDP traffic coming to our network after these IPs were blocked in Firewall.