1 / 20

NETFLOW analysis infrastructure at Indiana University

NETFLOW analysis infrastructure at Indiana University. Gregory Travis Advanced Network Management Lab (ANML) Indiana University greg@iu.edu. What do we do?. Research Build new DDoS/IDS systems Learn what’s going on Operational Support REN-ISAC Report upstream.

lcaskey
Download Presentation

NETFLOW analysis infrastructure at Indiana University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NETFLOW analysis infrastructure at Indiana University Gregory Travis Advanced Network Management Lab (ANML) Indiana University greg@iu.edu

  2. What do we do? • Research • Build new DDoS/IDS systems • Learn what’s going on • Operational • Support REN-ISAC • Report upstream

  3. Abilene NOC presented with an opportunity to partner with Asta Network and Arbor Networks via Internet2 Distributed Denial of Service (DDoS) detection equipment first installed at Indianapolis core node in 2000 DDoS detection equipment showed *many* DDoS incidents traversing Abilene each day Determined that this was a potential opportunity to provide more focus on security for the research and education network space ANML - Network Security

  4. Indiana University leveraged the security services provided to Abilene, along with the existing Policy and Security arms of the the Office of the Vice President for Information Technology, into a proposal to perform the function of the Research and Education Information Sharing and Analysis Center (REN-ISAC) February 21st 2003, Indiana University signed an agreement with the National Infrastructure Protection Center to provide the REN-ISAC function Doug Pearson is the director of the REN-ISAC (www.ren-isac.edu) ANML - Network Security

  5. What’s an ISAC/REN-ISAC? • ISACs (Information Sharing and Analysis centers) are cooperations of private and public entities within Department of Homeland Security • The REN-ISAC Supports U.S. higher education and research communities by providing advanced network security services • Also supports efforts to protect the national cyber infrastructure

  6. ANML I2 DDoS Monitoring • Multiple Systems monitoring NETFLOW data looking for indications of attack. • Arbor Networks • Internal exploratory tools • Snort • Systems feed output into central event database

  7. What we do with the data • Input into tools for effective exploratory data analysis for NETFLOW data: • Ad-hoc (I.e. flowtools) • Relational (Postgres) • Third Party/Commercial (Arbor) • Hybrids

  8. Hybrid Project • Provide an SQL like query language with a data storage system that is optimized for the storage and analysis of NETFLOW. • SQL databases have great expressing capability but are slow in this type of task. • Flowtools is faster but the expression language is a bit obtuse.

  9. Collection infrastructure I2 Routers Indianapolis Gigapop Flow Collectors (Arbor/ANML/etc.) ANML Bloomington

  10. How much data? • Anonymized I2 NETFLOW repository. • Short term SQL DB. • 3 month cache of data • ~1 Terabyte of storage. • ~7000 records per second • ~600 million per Day • Large seasonal variations

  11. DDoS Summary Reporting

  12. A typical day of DDoS • Typical daily totals: • High alerts: 6 • Medium alerts: 6 • Low alerts: 43 • Severity is related to how far we exceed administrative thresholds

  13. Worm tracking

  14. Two types of data • We’ve been talking about anomaly tracking via NETFLOW but should also make mention of signature-based systems • Both methods have their strengths and weaknesses • Typically you will need to do both

  15. NETFLOW • Very useful for monitoring high-volume networks • Doesn’t have wiretapping implications that signature-matching does • Data is already aggregated/depersonalized • But you can’t “see the data” which is good and bad • Sometimes difficult to know if an attack a real or just a data anomaly • Blaster example

  16. Signature matching • Actually looking at the data on the wire to look for specific DDoS/worm/etc. “signatures” • VERY compute intensive • Not practical “at wire speed” • Typically deployed on a per-LAN basis

  17. “Warscoping” • ANML developing location services for wireless devices • Number of instances where it’s important to be able to physically locate wireless devices • “911” services • Troubleshooting • Locating nefarious actors

  18. Other techniques we use • Honeypots • Tripwire • SEBEK • Warscoping • Geolocation

  19. Warscope display

  20. Sebek Analysis

More Related