1. Network Measurement & Bandwidth Management Mark Berman, Williams College Perry Brunelli, Univ. Wisconsin - Madison Dave Plonka, Univ. Wisconsin - Madison Copyright Mark Berman, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Context: Williams College is in the Berkshire hills of western Massachusetts Undergraduate Liberal Arts Institution Student population of ~2100, 95% residential

3. What do we really need? Most home users get by w/56k Most streaming media is less than 128k Near broadcast quality video at 800k DVD quality MPEG4 at 4Mbps 10Mb Ethernet is still a lot of bandwidth

4. Williams’ History Bandwidth at Williams grew from 56k in 1990 to 3XT1 (4.5mbps) by 1999 Peer to peer in the form of Napster hit us (like everyone else) in the Fall of that year User response became intolerably slow

5. Peer to Peer File Exchange Arrives In October 1999 Napster arrived The semester was ending and complaints weren’t bad until January Lots of political wrangling in January, we finally got the OK from the advisory committee to block the Napster ports on February first More politics in February. Students want to self-regulate usage and remove the block We do that during Spring Break When students return from break, throughput goes to hell again First week of April we installed our Bandwidth Shaper and nobody complained!

6. What it looked like: This graphic shows the timeline of Napster’s impact on Williams College

7. Throw Bandwidth at the Problem? During the “year of Napster” we were working with a regional effort to bring high speed services to our County In October, a year after Napster arrived, we turned on a 12mb fractional DS3 Internet connection, 3X what we had Let’s see how things worked out…

8. Not too bad! Peaks at 1400k-bytes = 11,200 bits/sec Shaper needed tweaking for new threats Firmware upgrade at Spring Break really got things under control!

9. But Napster is gone… Right? Napster is dead! Long live Gnutella/BearShare/Limewire KaZaA/Morpheus AudioGalaxy Abe’s MP3 Finder

10. What does it look like now? Max In:1321.7 kB/s (85.6%) Average In:828.9 kB/s (53.7%) Current In:1157.2 kB/s (74.9%) Max Out:1225.2 kB/s (79.4%) Average Out:805.6 kB/s (52.2%) Current Out:927.3 kB/s (60.1%)

11. TOOLS: To manage bandwidth we need to know what it’s being used for… And then control the flow We use three tools: MRTG http://www.mrtg.org/ http://www.mrtg.org/ Snort http://www.snort.org/ http://www.snort.org/ Allot NetEnforcer http://www.allot.com/ http://www.allot.com/

12. MRTG Multi Router Traffic Grapher Open Source tool uses SNMP data to produce graphs of overall traffic flow MRTG produced the graphs shown earlier in this presentation Mostly Perl (some C) easily customized

13. MRTG Example:

14. SNORT Open Source Intrusion Detection Basically a packet sniffer with rules based analysis and filtering Device configured as transparent bridge Detects (and can block) DOS attacks and new peer2peer bandwidth suckers

15. Snort Examples 2 [**] BACKDOOR NetMetro Incoming Traffic [**] <- Possible worm installed backdoor on NT machine 3 [**] DNS zone transfer [**] <- Attempt to dump DNS records for the zone 2 [**] EXPLOIT x86 NOOP [**]<- Linux hacking attempt 1 [**] EXPLOIT x86 setgid 0 [**] <- Linux hacking attempt 6 [**] EXPLOIT x86 setuid 0 [**] <- Linux hacking attempt 1 [**] FTP EXPLOIT aix overflow [**] <- Hack on AIX ftp servers 541 [**] INFO ICQ Access [**] 765 [**] INFO Inbound GNUTella Connect accept [**] 586 [**] INFO - Possible Squid Scan [**]<- Web search engine robot scan 24154 [**] MISC source port 53 to <1024 [**]<- Attempt to bypass firewall by masquerading as DNS access 229 [**] spp_http_decode: CGI Null Byte attack detected [**]<- IIS DOS attack 513 [**] spp_http_decode: IIS Unicode attack detected [**] <- IIS DOS attack 123 [**] Virus - Possible Code Red Worm II Attempt [**] Following 5 records are typical Code Red attack 26 [**] spp_portscan: portscan status from 137.113.40.30: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 29 [**] spp_portscan: portscan status from 137.113.40.30: 2 connections across 2 hosts: TCP(2), UDP(0) [**] 19 [**] spp_portscan: portscan status from 137.113.40.30: 3 connections across 3 hosts: TCP(3), UDP(0) [**] 17 [**] spp_portscan: portscan status from 137.113.40.30: 4 connections across 4 hosts: TCP(4), UDP(0) [**] 5 [**] spp_portscan: portscan status from 137.113.40.30: 5 connections across 5 hosts: TCP(5), UDP(0) [**] Following record is typical standard portscan, just trolling for hackable systems 5 [**] spp_portscan: End of portscan from 12.28.37.244: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH [**]

16. Allot NetEnforcer Commercial Product Filters and Prioritizes Traffic Flows Wire speed at up to DS3 (44.736Mbps) Prioritizes or Channelizes traffic Real time display of traffic by type Optional accounting package

18. Other Bandwidth Shapers Packeteer: http://www.packeteer.com/http://www.packeteer.com/ PacketShaper: http://www.info-prod.com/traffic.html http://www.info-prod.com/traffic.html Intel NetStructure: http://channel.intel.com/business/products/ecom/7340traff.htm Linux (very basic): http://linux.oreillynet.com/pub/a/linux/2000/08/24/LinuxAdmin.html