Hunting Through Your Home Network with ElastiFlow

Almost 20 years ago, I learned how to split an Internet connection with a simple hub. From there I learned how to promiscuously observe the packets as they whizzed by on my home network. Almost instantly I knew what I wanted to do for the rest of my life. From things like libpcap, tcpdump and Snort to building threat intelligence architectures that feed the appliances that leverage those technologies. The Internet is my life- reading and moving messages are my specialty.

Screen Shot 2019-04-20 at 07.09.53.png

After spending the last decade immersed in the world that became known as threat-intelligence, I find myself back where I started. Bridging my home network connection, with all the joys and wonder of what packets now traverse my little corner of the Internet. At lot has changed since I last took the plunge; I now have my own personal IPv6 connection and just about every other device on my network pings back to Apple and Google in some way. Once in a while it’s you’re printer making an odd connection Japan or China and Pinterest to QQ (WTF?), but for the most part- it’s one of the Tech (FANG) Giants.

You might be thinking- "c'mon kid, everyone has a v6 connection!". You'd be correct- but when you've spent more than a decade immersed in the higher education environment, EVERYTHING is a HIGH SPEED v6 connection. You start taking that for granted and don't waste time thinking about your little dinky home v6 connection. You find yourself ignoring the subtlety of how your home network and connectivity has evolved over time. You wake up and realize- "oh snap! I'm still running 802.11 G in places!?", simply because you're almost always hard wired in and you don't care how fast your spouse's connection to Pinterest is.

How do you begin capturing the essence of your home environment? There are TONs of obvious answers to this question; things like Wireshark, Snort, Bro and a-like. A simple google search these days however, will effectively teach you more about spying on your children / spouse than they will teach you HOW to understand what's really going on at the packet level. The purpose of this post is to introduce you to something simple you can learn at home- but also be something you can deploy at your $JOB TODAY. Whether you work at a small company, a large university or even a top tier ISP.

Elastiflow and Netflow

An often under-rated feature of routers with things like DD-WRT enabled is something called RFlow. This handy little knob lets you export Netflow v5 off the router to an IP on your internal network. It's trivial to capture these tiny little UDP records, it's traditionally been difficult (reads: expensive!) to visualize and DO anything with the data. There are of course things like NTOP- but that's always been kind of an odd beast and doesn't let you easily merge the things that capture your logs with the thing that captures your flows. If you’ve ever worked in a high-speed security environment, this stuff is crucial. I don’t want 15 tools to look through when i’m researching some traffic. I want it all merged together, or at-least the technology stacks to line up.

The power of ElastiFlow is more in the design pattern than the actual technology itself. What it demonstrates is how to THINK about Netflow as it relates to logging. Things like; normalizing NetFlow v5, v9 and IPFIX into a single quasi-unified storage pattern. How to adapt that storage across time buckets and then [and probably most importantly] how to visualize that data. It's a quick and easy entry point into learning the ELK stack and more importantly it gives you a very simple, yet powerful take-away from day 1.

Do other [more commercial] products and platforms do this? Of course, maybe even better. The interesting thing about ElastiFlow is how it enables this SIDE BY SIDE with your other log data. You're still being reactive and having to hunt through your flows instead of using a full fledged correlator such as ArcSight ESM. At-least now your logs AND flows can be normalized into the same technology stack. Adapting your ELK stack to be more proactive is now just a few short scripts away.

Is a more traditional IDS going to give you more valuable context and insights? Of course. However, traditional IDS requires a bit more advanced pcap knowhow, capturing and leveraging Netflow is a great first step. Something you can easily get value from on day one.

Did you learn something new?