Flow Aware Packet Sampling

Slides:

Advertisements

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Advertisements

SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Copyright © sFlow.org All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.

1 PSAMP WGIETF, November 2002PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-01.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:

Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Communications Recap Duncan Smeed. Introduction 1-2 Chapter 1: Introduction Our goal: get “feel” and terminology more depth, detail later in course.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

– Chapter 5 – Secure LAN Switching

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.

1 IPFIX Protocol Specifications IPFIX IETF-59 March 3, 2004 Benoit Claise Mark Fullmer Reinaldo Penno Paul Calato Stewart Bryant Ganesh Sadasivan.

Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Computer Security Workshops Networking 101. Reasons To Know Networking In Regard to Computer Security To understand the flow of information on the Internet.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Abierman-psamp-18nov02 1 PSAMP WG 55th IETF Atlanta, Georgia November 18, 2002 Discussion: Admin: (In Body:

Open-Eye Georgios Androulidakis National Technical University of Athens.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

Standards Activities on Traffic Measurement. 2 Outline Applications requiring traffic measurement Packet capturing and flow measurement Existing protocols.

Fuzzy Control of Sampling Interval for Measurement of QoS Parameters Juraj Giertl.

1 PSAMP Protocol Specifications PSAMP IETF-59 March 2, 2004 Benoit Claise Juergen Quittek.

Mr. Mark Welton.  WAN transportation method that formats data into frames and sent over a network controlled by a service provider  Frame Relay is often.

CSCI 465 D ata Communications and Networks Lecture 24 Martin van Bommel CSCI 465 Data Communications & Networks 1.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Overview SessionVista™ Enterprise is the first integrated network monitoring and control appliance that combines application layer firewall capabilities.

PSAMP MIB Status Managed Objects for Packet Sampling A Status Report Thomas Dietz Benoit Claise

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

1 PSAMP Protocol Specifications PSAMP IETF-58 November 11, 2003 Benoit Claise Juergen Quittek.

PSAMP Information Model Status Information Model for Packet Sampling A Status Report Thomas Dietz Falko Dressler.

IP Protocol CSE TCP/IP Concepts Connectionless Operation Internetworking involves connectionless operation at the level of the Internet Protocol.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

1 PSAMP WGIETF, November 2003PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-04.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:

Flow sampling in IPFIX: Status and suggestion for its support Maurizio Molina,

Network Traffic Monitoring and Analysis - Shisheer Teli CCCF.

Network Processing Systems Design

NetFlow Analyzer Best Practices, Tips, Tricks. Agenda Professional vs Enterprise Edition System Requirements Storage Settings Performance Tuning Configure.

IETF 64 PSAMP WG1 Path-coupled Meter Configuration Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen Quittek,

Proventia Network Intrusion Prevention System

Booting up on the Home Link

Footprinting (definition 1)

Routers Multiport connectivity device

– Chapter 5 – Secure LAN Switching

I2RS Large Flow Use Case draft-krishnan-i2rs-large-flow-use-case-00

Seraphim : A Security Architecture for Active Networks

Mapping Internet Sensors With Probe Response Attacks

Memento: Making Sliding Windows Efficient for Heavy Hitters

Security Delivery Platform for the Micro-segmented Data Center

William Lupton | | 04-Nov-2018

Presentation transcript:

Flow Aware Packet Sampling [Add Presentation Title: Insert tab > Header & Footer > Notes and Handouts] 4/25/2017 Flow Aware Packet Sampling Ram Krishnan/David Meyer – Brocade Communications Ning So – Tata Communications © 2010 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

INTRODUCTION Current Issues Flow Aware Packet Sampling Solution Uniform packet sampling in networking devices Sample long-lived/short-lived, large/small flows equally Large percentage of samples is large flows (aka top-talkers) Small flows -- typical cause of security threats like Denial of Service (DOS) attacks, Scanning attacks etc. Small percentage of the bandwidth and a large percentage of the flow space Flow Aware Packet Sampling Solution Automatically detect the top-talkers inline & real-time in networking devices Sample only the small flows Security threat detection more effective with minimal sampling overhead Terminology: -- Large flow(s): long-lived large flow(s) -- Small flow(s): long-lived small flow(s) and short-lived small/large flow(s)

SOLUTION DETAILS (1) Large Flow Recognition Large Flow Classification Flow identification - all layer 2/3/4 formats supported by IPFIX Define observation interval and observe the bandwidth of the flow over that interval A flow that exceeds a certain minimum bandwidth threshold over that observation interval would be considered a large flow Suggested technique for automatic recognition Algorithm based on counting bloom filters Large Flow Classification Recognized large flows can be broadly classified into 2 categories as detailed below. Well behaved (steady rate) large flows, e.g. video streams Bursty (fluctuating rate) large flows e.g. Peer-to-Peer traffic

SOLUTION DETAILS (2) Small Flow Processing Recognized large flows can be sampled at low rate if desired Export large flows to a central entity, for e.g. Netflow Collector, using IPFIX protocol Top-talker reporting or further analysis Small Flow Processing Sample small flows (excluding the large flows) at a normal rate using PSAMP protocol. Examine small flows for determining security threats like DOS attacks (for e.g. SYN floods), Scanning attacks etc.

NEXT STEPS Adopt as a work item in IPFIX working group – Informational RFC Operator Interest Vendor Interest

ADDITIONAL WORK ITEMS Programmable parameters in switches and routers for automatic recognition of large flows Option 1: Open APIs like REST API Option 2: Data models like YANG Address gaps in IPFIX protocol Option 1: Explicit protocol specification e.g. VXLAN, NVGRE Option 2: Virtualization/abstraction layer to central management entity Flexible protocol type, packet offset/byte model interface to switches/routers