1- Give two major changes made in SNMP V2 related to minimizing the data exchang

Question

1- Give two major changes made in SNMP V2 related to minimizing the data exchanged between agents and manager and standardized products.

2- Differentiate between authentication and authorization in SNMPv3
3- What is the main difference between network traffic monitoring tools and network status tools?
4- Lists four basic network mentoring tools, can help a network’s manager to find out the detail of a heavy traffic in his network?
5-If one of the server at your network got an attack denial of service (DoS), explain how can the network statistic help you to find the attacker?

6-What is the main difference between network traffic monitoring tools and network status tools?

Explanation / Answer

1) Answer:

The simple network management protocol SNMP v2
It is a protocol that allows network administrators to manage devices
network and diagnose network problems. In the beginning, the management system
network was based on two (2) main elements: a supervisor and agents; which
described below.

The supervisor: is the terminal that allows the network administrator to perform management requests.
Agents: are entities that are at the level of each interface. They connect to the network and allow managed devices to gather information on different objects.
In this sense, the SNMP v2 was developed during late 1992 and submitted in March 1993. Additional composed by the union of SSNMP (Simple Network Management Protocol-Insurance) and improvements in management aspects such as: functionality, performance and operating efficiency; which are described continuation.

2) Answer:

Security and Administration Framework

SNMP entities contain a security subsystem (and possibly an access control subsystem) to prevent unauthorized users from accessing a MIB or parts of a MIB. SNMP entities also possess these subsystems to ensure that authorized users retrieve and update information from only the parts of the MIB that they are allowed to view. Only a user who has the necessary access privileges will be able to obtain the desired level of service from a properly configured SNMP entity.

A Security Administration Framework defines the mechanisms, which control the level of service provided by an SNMP entity. The mechanisms discriminate each message based on who is sending the message, what operation is requested, where the operation takes place within the MIB, and how the request is being sent (security protocol in use).

Who? Authentication discriminates a request based on the sender of the message. An authentication identifier includes some type of shared secret, which is used to verify the identity of the sender.
What? Authorization discriminates a request based on the operation being requested. An authorization identifier defines a set of operations that are permitted (e.g., Get, Set, Trap, etc.).
Where? Access Control discriminates a request based on the MIB objects where a requested operation would be performed. An access control identifier, or MIB View, defines a set of objects in the MIB where operations may be performed.
How? Security Level discriminates a request based on the security protocols used for a request. Security level options include privacy protocols and alternative authentication algorithms.

3) Answer:

When servicing a company, their networks are often one of the main elements to be taken into account to avoid stop servicing. If the networks stop working and no data is transmitted stop shop service to customers of the company.

For this reason, it is very important to make proper network monitoring. The goal of every system administrator is to keep the network fully operational 100% of the time. The network monitoring tools help us identify potential problems that cause the collapse and / or falling networks.

It is very important to distinguish from the beginning the difference between network monitoring and network management. Monitoring network will allow us to analyze and view the status of our networks at a basic level. Management allow us to not only take action to alleviate the problems of our networks but will give us a global view of all our systems.

This article will start counting how to make a basic network monitoring to move to tell the main features that must have a network monitor.

Basic monitoring network
Features to consider our Advanced monitoring software network

Basic Network Monitoring

This post will start writing about the basic requirements for monitoring a network. The basic network monitoring control is the control of syslog messages and control bandwidth.

What are syslog messages?

The syslog messages are generated by communications equipment and sent to a central server where all stored. Monitoring syslog messages are based on the collection of these messages in a single server for analysis and alarm configuration.

For example, with our server we can receive syslog all failed attempts to access the web and launch an alarm when there are more than 10 failed accesses in a minute.

syslog servers

Windows Syslog. Used in Windows operating systems. http://windowssyslog.codeplex.com/releases/view/617649

Tftpd32. For Windows systems. In addition to a syslog server it has DHCP, FTP, DNS and TFTP servers. http://tftpd32.jounin.net/

Visual Syslog Server. For Windows systems. http://maxbelkov.github.io/visualsyslog/

Syslog Server. Installable on Linux and Windows. http://sourceforge.net/projects/syslog-server/

What is bandwidth?

Bandwidth is the amount of information passing through a network link, either physically or by air (wifi) in a given period of time. Typically it measured in bits per second. Monitoring bandwidth will allow us to know at all times as our networks are loaded. We know that when a network exceeds 90% usage of bandwidth, this network will start to cause problems for systems operating in the same.

With the monitor bandwidth we may be able to know as "full" are our links and who are "filling" the same.

Tools to measure bandwidth

Bandwidthd. Valid for use on Linux and Windows systems. http://bandwidthd.sourceforge.net/

Band Width Monitor NG. Beta. It helps us to see and analyze network traffic protocols such as TCP, HTTP, UDP, etc. http://sourceforge.net/projects/bwmng/

Given these two basic points and implementing a correct configuration of the above tools we can have a basic state control of our networks.

Importantly here you have talked about tools network monitoring, but as you can see, these tools are able to capture and measure our network and launch alarms, but do not have the ability to manage a network and above all, the possibility to give a unified view. To manage a network, the tool should be able to make decisions and take action to solve or alleviate the problem.

If you've read this far you is enough to check the status of your network and its dimensions do not need more, we hope you have been helpful this article. If, however, your needs when monitoring your facilities are older and want to sleep at the quieter nights, then read on.

The aim of the next section is tell you which are the main points to consider when choosing a network monitor.

Features to consider in our network monitoring software

Communication alerts.
Integrations with external servers.
Usability and presentation of the data in the panel.
Flexibility to adapt to particular tools or software.
API access from external systems.
Detection devices automatically.
Integrations with Databases
multidevice
scaled
Support more protocols possible data acquisition
Security
Integration with virtual machines
integrations hardware
Remote control
Hardware and Software Inventory
Gelocalización
Cloud Monitoring

4) Answer:

Traffic Analysis

At this level transmission may be unicast (one to one), Multicast (one to many) or broadcast (one to all). The performance (yield) of a network is seriously resenting the presence of Broadcast, in fact this is one of the measures of interest to optimize networks and is also of a known attack on the availability called "Bombing Broadcast". Other measures is the analysis of the multicast, because these are the messages exchanged between the Router, and is profitable high for an interested in being a participant foreign network of these groups, because in them you will find served all information routing network.

5) Answer:

Denial of Service (DoS) and DDoS Attacks

DoS attack, denial-of-service attack, is an explicit attempt to make a computer resource unavailable by either injecting a computer virus or flooding the network with useless traffic. There are two types of DoS attacks: computer attack and network attack. Common forms of denial os services attacks are:

Ping of death

Ping of death is caused by an attacker deliverately sending a ping packet, normally 64 bytes, that is larger than the 65,535 bytes. Many computer systems cannot handle an IP packet larger than the maximum IP packet size of 65,535, and often causes computer systems crash. It is illegal to send a ping packet of size greater than 65,535, but a packet of such size can be sent if it is fragmented. When a receiving computer reassembles the packet, a buffer overflow occurs, which often causes computer to crash. This exploit has affected a wide variety of systems including Unix, Linux, Mac, Windows and routers; but the fixes have been applied since 1997 making this exploit mostly historical.

Ping of flood

Ping of flood is caused by an attacker overwhelming the victim's network with ICMP Echo Request (ping) packets. This is a fairly easy attack to perform without extensive network knowledge as many ping utilities support this operation. A flood of ping traffic can consume singificant bandwidth on low to mid-speed networks bringing down a network to a crawl.

Smurf Attack

Smurf attach exploits the target by sending repeated ping request to broadcast address of the target network. The ping request packet often uses forged IP address (return address), which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If number of hosts replying to the ping request is large enough, the network will no longer be able to receive real traffic.

SYN Floods

When establishing a session between TCP client and server, a hand-shaking message exchange occurs betwen a server and client. A session setup packet contains a SYN field that identifies the sequence in the message exchange. An attacker may send a flood of connection request and do not respond to the replies, which leaves the request packets in the buffer so that legitimate connection request can't be accommodated.

Teardrop Attack

Teardrop attack exploits by sending IP fragment packets that are difficult to reassemble. A fragment packet identifies an offset that is used to assemble the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the sebsequent fragments and if the receiving system doesn't know how to handle such situation, it may cause the system to crash.

Mail Bomb

Unauthorized users send large number of email messages with large attachments to a particular mail server, filling up disk space resulting in denied email services to other users.

What is distributed DoS (DDoS) attack?

DDoS (Distributed Denial Of Service) is a tactic used to attack a victim from multiple compromised computers. Attacker installs a virus or trojan software on compromised systems, and use them to flood a victim's network in a way that the victim's server cannot handle it.

DDoS involves 3 parties: an offender, helpers and a victim. The offender is the one who plots the attack, and helpers are the machines that are compromised by the offender to launch attack against a victim (the target). The offender commands the helpers to attack the victim's host at the precisely same time. Due to this co-ordinated nature between the offender and helpers, the DDoS is also known as co-ordinated attack.

Resolutions

If you suspect a DoS or DDoS attack due to a significant network slowdown or denied service, you may execute a few diagnostic Linux commands to find a host under attack.

First, you'll have to identify a host under DoS or DDoS attack. To do this, you'll have to monitor network traffic and see where the traffic is coming from and where they are going. This can be done with ethereal or tethereal Linux command.

# tethereal
0.809751 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol
(proto=UDP 0x11, off=2960)
0.810357 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol
(proto=UDP 0x11, off=1480)
...

## If you do not have ethereal installed, you may use 'yum' to
## install it on your system.
# yum install tethereal

Once you have identified the host, logon to the server and find server load. You may use w, uptime command to find server load. You may also use top and ps commands to determin Linux process that consumes most resource. To learn more about top command output, please read an article about high volume traffic.

# uptime
15:19:51 up 127 days, 5:39, 2 users, load average: 10.78, 8.68,
4.82

# top
top - 15:20:02 up 127 days, 5:39, 2 users, load average: 10.78,
8.68, 4.82
Tasks: 170 total, 6 running, 163 sleeping, 0 stopped, 1 zombie
Cpu(s): 3.5% us, 1.7% sy, 0.1% ni, 94.3% id, 0.4% wa, 0.0% hi,
0.0% si
Mem: 2074924k total, 2046676k used, 28248k free, 58692k
buffers
Swap: 4192956k total, 144k used, 4192812k free, 1553828k
cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
14815 apache 25 0 52776 628 500 R 98.6 0.0 9:59.91 cw7.3
DoS and DDoS attacks occur due to running vulnerable software on your server(s). The attackers use known application vulnerability and security holes to compromise the servers in different network either by installing viruses and trojan horses (intrusion) or initiate DDoS attacks. To prevent DoS and DDoS attacks, you may take following actions.

6) QUESTION REPEATED

Related Questions

Navigate

• Browse (All)
• Browse 1
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.