Presentation is loading. Please wait.

Presentation is loading. Please wait.

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart.

Published byArianna Ball Modified over 10 years ago

Similar presentations

Presentation on theme: "Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart."— Presentation transcript:

1 Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th Design and Implementation of Large Scale URL Filtering APAN, Xian, Network Security, 29 th August 2007 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2 2 Network Operation Center Kasetsart University Office of Computer Services Agenda Why Need URL Filtering? Filtering Techniques TCP Revisited Proposed Solution Performance Facts Current Deployment Scalability Planning for 10Gbps

3 3 Network Operation Center Kasetsart University Office of Computer Services Agenda

4 4 Network Operation Center Kasetsart University Office of Computer Services Why Need URL Filtering? Access Policy Enforcement Parental Control Other restricted website by Policy Suspected Harmful Website (on-demand filtering) Spyware, Phishing Embedded Scripting Websites intend to attack OS/Software Vulnerabilities

5 5 Network Operation Center Kasetsart University Office of Computer Services Agenda

6 6 Network Operation Center Kasetsart University Office of Computer Services Gateway Filtering Engine Client Internet Pass-Through Web Filtering Traffics must pass through the filtering engine (Firewall, Proxy, Application Gateway) Create a queue of processing with delay Delay is depend on traffic volume and machine performance 1 2 3 ? ? Allow Block Unknown 4

7 7 Network Operation Center Kasetsart University Office of Computer Services Pass-by Web Filtering Traffics are captured and passed by without queuing Zero delay, independent from traffic volume Ease of Installation (No Traffic Interruption) Non Blocking Traffic Stream No Single Point of Failure Scalable Gateway Filtering Engine Client Internet 3 ? ? 12 2

8 8 Network Operation Center Kasetsart University Office of Computer Services Agenda

9 9 Network Operation Center Kasetsart University Office of Computer Services TCP Connection Establishment & Data Transfer SYN J SYN K, ACK J+1 ACK K+1SYN_SENT ESTABLISED SYN_RCVD ESTABLISED Data (request) Data (reply) Client Server

10 10 Network Operation Center Kasetsart University Office of Computer Services TCP Connection Termination FIN L ACK L+1CLOSE_WAIT FIN_WAIT_1 FIN_WAIT_2 Client Server LAST_ACK FIN M ACK M+1 TIME_WAIT CLOSED

11 11 Network Operation Center Kasetsart University Office of Computer ServicesFiltering TCP Session Hijacking SYN J SYN K, ACK J+1 ACK K+1 FIN L Client Server Data (request) Data (reply) Packet will be ignored Faked FIN by Filtering Engine

12 12 Network Operation Center Kasetsart University Office of Computer Services Agenda

13 13 Network Operation Center Kasetsart University Office of Computer Services Proposed Solution Pass by method incorporated with 2 techniques Session Hijacking Session Hijacking Fast Sequence Number Interception Fast Sequence Number Interception Keywords Capturing in Application Request Packet Keywords Capturing in Application Request Packet URL Processing Designed to URL Processing Designed to Handle Hundred Million of URLs list Handle Hundred Million of URLs list Very fast access to URLs repository Very fast access to URLs repository

14 14 Network Operation Center Kasetsart University Office of Computer Services Session Hijacking FIN L Client Server Filtering Data (request) Data (reply) Successful filtering ACK L+1 Faked FIN FIN Mignored Unsuccessful filtering ACK M+1 FIN L Faked FIN

15 15 Network Operation Center Kasetsart University Office of Computer Services GET 3 Keyword Capturing Gateway Filtering Engine Client Internet GET/PUT/POST 1 GET search ? ? Matching 5 FIN 2 GET 4 FIN Black Lists 2 GET

16 16 Network Operation Center Kasetsart University Office of Computer Services URL Management Technique Key design URL Compression Techniques In-Memory Balanced Tree of URLs Utilize KSpider s Core Architecture (URL Manager Module) Benefits 69% Averaged Compression Ratio of URLs Length (currently supported Max 268 Millions URLs List under 8 GB RAM) Almost Linear Access Speed (10 microseconds by averaged

17 17 Network Operation Center Kasetsart University Office of Computer Services URL Buffer Queue URL Buffer Queue Scheduler URL Manager URL Storage Manager URL Storage Manager On Disk Parallel DNS Parallel DNS In-memory Storage KSpiders Architecture URL Filter Data Streamer URL Processor URL Extractor URL Buffer Queue URL Buffer Queue Scheduler Communicator Cluster Communicator Cluster Communicator Data Collector URL Buffer Queue URL Buffer Queue Storage Manager Data Compressor Data Decompressor HTTP Data Collector HTTP Data Collector Stats Collector Online indexer Other processing To Communicator Storage

18 18 Network Operation Center Kasetsart University Office of Computer Services URL Compression Technique Prefix Balance Search Tree http://www.lovely.com http://www.lion.com http://www.lovely12.com http://www.lovely11.net http://www.lower13.net Webscreen List 0http://www.lovely.com/112ion.com21712.com3181.net4183.net

19 19 Network Operation Center Kasetsart University Office of Computer Services Agenda

20 20 Network Operation Center Kasetsart University Office of Computer Services Performance Hijack Activation under 0.6 msec Test Record 268 Million URLs with 8 GB Avg. Search Time 10 µsec (350 µsec MAX with 268 Million URLs) Memory Requirement 34M URL/GB Performance collected under Dell 2900, Intel Xeon 5160(3Ghz) 69% compression ratio with average 26.5 bytes per URL

21 21 Network Operation Center Kasetsart University Office of Computer Services Agenda

22 22 Network Operation Center Kasetsart University Office of Computer Services Reference Site 3 Gbps2 Gbps EtherChannel 2 Gbps Ethernet 1 Gbps CPU : 2xDual Core Opteron 2.4 Ghz RAM : 8 GB HD : SAS 146 GB WebScreen Agent Multiple Links/Interfaces Operations since December 2005 Inter. GW CAT Telecom 8 gigabit links span to 8 gigabit interfaces in 4 machine

23 23 Network Operation Center Kasetsart University Office of Computer Services Collected Statistics Avg. 110 request/s Dropping rate (9.5 M per day) Peak 250 request/s Dropping rate 4.6 Gbps aggregated traffic 1.6 M packet/s incoming packets 64 K packet/s http request packets

24 24 Network Operation Center Kasetsart University Office of Computer Services Agenda

25 25 Network Operation Center Kasetsart University Office of Computer Services Scalability Planning for 10Gbps Solutions for 10 Gbps Link Deploy Traffic Distribution Device (1x10 Gbps to 10x1 Gbps) Currently on the test of GigaVUE GigaVUE1 LAN Mirror port THAISARNUNINET GigaVUE2 Typical servers can handle up to 800 Mbps bit rate per 1 Gbps interface 1G 10G 1G 10G

26 26 Network Operation Center Kasetsart University Office of Computer Services Q&A

27 27 Network Operation Center Kasetsart University Office of Computer Services Thank You

Download ppt "Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart."

Similar presentations

Personal Computers and Applications

Personal Computers and Applications
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Network Programming and Java Sockets

Network Programming and Java Sockets
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
Transparent Firewall for Wireless Network

Transparent Firewall for Wireless Network
1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak.

1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak.
Security Issues In Mobile IP

Security Issues In Mobile IP
1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.

1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.
Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.

Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.
CSF4 Meta-Scheduler Tutorial 1st PRAGMA Institute Zhaohui Ding or

CSF4 Meta-Scheduler Tutorial 1st PRAGMA Institute Zhaohui Ding or
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Addition Facts 1 - 20.

Addition Facts
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Chapter 1 Introduction Copyright © 2008. Operating Systems, by Dhananjay Dhamdhere Copyright © 20081.2 Introduction Abstract Views of an Operating System.

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
VARUN GUPTA Carnegie Mellon University 1 Partly based on joint work with: Anshul Gandhi Mor Harchol-Balter Mike Kozuch (CMU) (CMU) (Intel Research)

VARUN GUPTA Carnegie Mellon University 1 Partly based on joint work with: Anshul Gandhi Mor Harchol-Balter Mike Kozuch (CMU) (CMU) (Intel Research)
The Impact of Soft Resource Allocation on n-tier Application Scalability Qingyang Wang, Simon Malkowski, Yasuhiko Kanemasa, Deepal Jayasinghe, Pengcheng.

The Impact of Soft Resource Allocation on n-tier Application Scalability Qingyang Wang, Simon Malkowski, Yasuhiko Kanemasa, Deepal Jayasinghe, Pengcheng.

Similar presentations

Ads by Google