Analysis of HTTP-channel worm attacks occupied by BT downloads

Analysis of HTTP-channel worm attacks occupied by BT downloads
Fault description

A recent customer reported that their network was slow, the webpage was slow, and sometimes emails could not be sent and received normally. They want to know why the network is so slow.
At first, the customer mirrored the van traffic in the subnet 100.0. Then I analyzed why it was so slow. After reading the captured data, I found that the data in the 100.0 CIDR block is normal but slow. Then I asked the customer if the network segment 100.0 is slow? The customer said the entire network was slow. If the entire network is slow and only packets are captured in one network segment, the data obtained is incomplete. Therefore, I suggest you change the image traffic to the total egress of the image network.

The customer's network topology is a typical corporate network:
Internet (tietong 15 M) ----- FW ---- core SW --- aggregation SW -- access SW
Port image connecting the core SW to the FW. Then set the corresponding analysis scheme. Based on the customer's actual network bandwidth, we configure the network bandwidth to 15 M (call SP to understand that 15 M is the total bandwidth, including upstream and downstream bandwidth. The upper/lower row ratio is not limited)

According to the customer's requirements, the customer wants to know the IP node of the network management network, so he wants to monitor the network segment 100.0 independently. I can add this CIDR block to the IP node.

After the preliminary setup is complete, we select a comprehensive analysis solution for packet capture.

Analysis Process

We analyzed the packet capture process and set the network utilization rate to 100%,

We know that 100% of network utilization means that the network is running at full capacity and there is no extra bandwidth to support new network services, the running Internet service is also a diagnostic view with high latency, which also verifies our point of view. We can see that TCP response is slow, TCP packet retransmission, and HTTP server slow response all tell us that the network latency is very high.

The above are the current network status we can understand. So what makes the network utilization so high?
First, we will rank the Intranet IP address traffic;

Then, we analyzed the top IP addresses and found that the reason why they had such large traffic was actually BT transmission. However, the customer immediately retorted that they set a strict policy on the firewall to limit the BT traffic, seal the UDP and TCP high ports, and specify policies such as the number of connections per IP address, it is reasonable that there will be no BT transmission, but is it true?
First, let's look at the matrix of IP addresses with the largest traffic:

More data packets are sent than received data packets. In addition, the session traffic of UPD is large, but the UDP port is used:

What is more difficult to prevent is that BT uses the normal TCP80 port for transmission. We have found this situation on hosts with large traffic, and the TCP80 port is occupied:

This large amount of data generated by the use of port 80 by BT, resulting in port 80 traffic accounting for more than 80% of the total traffic. In addition, this type of 80 transmission is permitted by the firewall by default (it cannot make people unable to access Internet cafes !) The number of connections is also small. It can be downloaded without firewall settings, and most BT protocols now support this type of transfer by using port 80, such as thunder, which can be achieved through simple settings:

We also found worms in this network check. Ranking the TCP sessions of the Intranet IP address, we found that the traffic of IP 192.168.2.67 is only 122KB but its TCP session ranks second (the first is its internal server, view its TCP session to discover worm features


The IP address sends a large number of SYN packets to the random IP address's TCP445 port. Most of them have no response. Matrix view, intuitive Link

Through the above features, we can find that the IP address contains a shared worm and can be used to detect the internet. Analysis Summary

It is intuitive and accurate to understand the slow network through network analysis. The BT protocol is becoming more and more intelligent. For such protocols, we can control them through some traffic control devices. Daily security checks are very necessary and there is no absolutely secure network, although there are ids fw security devices in the network, new worms and virus Trojans can still penetrate the network.