1 / 27

Network Monitoring and Security

Network Monitoring and Security. Nick Feamster CS 4251 Spring 2008. Network Measurement. Passive vs. Active Measurement. Passive Measurement: Collection of packets, flow statistics of traffic that is already flowing on the network Packet traces Flow statistics Application-level logs

morley
Download Presentation

Network Monitoring and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Monitoring and Security Nick FeamsterCS 4251Spring 2008

  2. Network Measurement

  3. Passive vs. Active Measurement • Passive Measurement:Collection of packets, flow statistics of traffic that is already flowing on the network • Packet traces • Flow statistics • Application-level logs • Active Measurement: Inject “probing” traffic to measure various characteristics • Traceroute • Ping • Application-level probes (e.g., Web downloads)

  4. Billing for Internet Usage • 95th Percentile billing • Customer network pays for “committed information rate” (CIR) • Throughput measured every 5 minutes (typically with SNMP; flow statistics also can be used for billing) • Customer billed based on 95th percentile

  5. Passive Traffic Data Measurement • SNMP byte/packet counts: everywhere • Packet monitoring: selected locations • Flow monitoring: typically at edges (if possible) • Direct computation of the traffic matrix • Input to denial-of-service attack detection • Deep Packet Inspection: also at edge, where possible

  6. Simple Network Management Protocol • Management Information Base (MIB) • Information store • Unique variables named by OIDs • Accessed with SNMP • Specific MIBs for byte/packet counts (per link) SNMP Manager Agent ManagedObjects DB

  7. SNMP (Passive) • Advantage: ubiquitous • Supported on all networking equipment • Multiple products for polling and analyzing data • Disadvantages: see Lecture 6 • Coarse granularity • Cannot express complex queries on the data • Unreliable delivery of the data using UDP • Utility • Link utilization (billing) • Traffic matrix inference

  8. Packet-level Monitoring • Passive monitoring to collect full packet contents (or at least headers) • Advantages: lots of detailed information • Precise tming information • Information in packet headers • Disadvantages: overhead • Hard to keep up with high-speed links • Often requires a separate monitoring device

  9. Full Packet Capture (Passive) Example:Georgia Tech OC3Mon • Rack-mounted PC • Optical splitter • Data Acquisition and Generation (DAG) card Source: endace.com

  10. What is a flow? • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol type • TOS byte (DSCP) • Input logical interface (ifIndex)

  11. Core Network Cisco Netflow • Basic output: “Flow record” • Most common version is v5 • Current version (9) is being standardized in the IETF (template-based) • More flexible record format • Much easier to add new flow record types Collector (PC) Approximately 1500 bytes 20-50 flow records Sent more frequently if traffic increases Collection and Aggregation

  12. Flow Record Contents • Source and Destination, IP address and port • Packet and byte counts • Start and end times • ToS, TCP flags Basic information about the flow… …plus, information related to routing • Next-hop IP address • Source and destination AS • Source and destination prefix

  13. Aggregating Packets into Flows • Criteria 1: Set of packets that “belong together” • Source/destination IP addresses and port numbers • Same protocol, ToS bits, … • Same input/output interfaces at a router (if known) • Criteria 2: Packets that are “close” together in time • Maximum inter-packet spacing (e.g., 15 sec, 30 sec) • Example: flows 2 and 4 are different flows due to time flow 4 flow 1 flow 2 flow 3

  14. Reducing Measurement Overhead • Filtering:on interface • destination prefix for a customer • port number for an application (e.g., 80 for Web) • Sampling: before insertion into flow cache • Random, deterministic, or hash-based sampling • 1-out-of-n or stratified based on packet/flow size • Two types: packet-level and flow-level • Aggregation: after cache eviction • packets/flows with same next-hop AS • packets/flows destined to a particular service

  15. Packet Sampling • Packet sampling before flow creation (Sampled Netflow) • 1-out-of-m sampling of individual packets (e.g., m=100) • Create of flow records over the sampled packets • Reducing overhead • Avoid per-packet overhead on (m-1)/m packets • Avoid creating records for a large number of small flows • Increasing overhead (in some cases) • May split some long transfers into multiple flow records • … due to larger time gaps between successive packets time not sampled timeout two flows

  16. Sampling: Flow-Level Sampling • Sampling of flow records evicted from flow cache • When evicting flows from table or when analyzing flows • Stratified sampling to put weight on “heavy” flows • Select all long flows and sample the short flows • Reduces the number of flow records • Still measures the vast majority of the traffic sample with 0.1% probability Flow 1, 40 bytes Flow 2, 15580 bytes Flow 3, 8196 bytes Flow 4, 5350789 bytes Flow 5, 532 bytes Flow 6, 7432 bytes sample with 100% probability sample with 10% probability

  17. Two Main Approaches • Packet-level Monitoring • Keep packet-level statistics • Examine (and potentially, log) variety of packet-level statistics. Essentially, anything in the packet. • Timing • Flow-level Monitoring • Monitor packet-by-packet (though sometimes sampled) • Keep aggregate statistics on a flow

  18. Packet Capture on High-Speed Links Example:Georgia Tech “OC3Mon” • Rack-mounted PC • Optical splitter • Data Acquisition and Generation (DAG) card Source: endace.com

  19. Characteristics of Packet Capture • Allows inpsection on every packet on 10G links • Disadvantages • Costly • Requires splitting optical fibers • Must be able to filter/store data

  20. Routing: Monitoring and Security

  21. S-BGP • Address-based PKI: validate signatures • Authentication of • ownership for IP address blocks, • AS number, • an AS's identity, and • a BGP router's identity • Use existing infrastructure (Internet registries etc.) • Routing origination is digitally signed • BGP updates are digitally signed 􀂄 • Route attestations:A new, optional, BGP transitive path attribute • carries digital signatures covering the routing information in updates

  22. Attestations: Update Format BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI • Address attestation is usually omitted Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG RouteAttestations Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG Owning Org, NLRI, first Hop AS, SIG Address Attestation Question: Why are there multiple route attestations?

  23. Attestation Format: More Details • Issuer: an AS • Certificate ID:for joining with certificate information received from third party • AS Path • Validity: how long is this routing update good?

  24. Reducing Message Overhead • Problem: How to distribute certificates, revocation lists, address attestations? • Note: This data is quite redundant across updates • Solution: use servers for these data items • replicate for redundancy & scalability • locate at NAPs for direct (non-routed) access • download options: • whole certificate/AA/CRL databases • queries for specific certificates/AAs/CRLs

  25. S-BGP Optimizations • Handling peak loads (e.g., BGP session reset) • Extra CPUs • Deferred verification • Background verification of alternate routes • Observation: Most updates caused by “flapping” • Cache previously validated routes

  26. Practical Problems with S-BGP • Requires Public-Key Infrastructure • Lots of digital signatures to calculate and verify. • Message overhead • CPU overhead • Calculation expense is greatest when topology is changing • Caching can help • Route aggregation is problematic (maybe that’s OK) • Secure route withdrawals when link or node fails? • Address ownership data out of date • Deployment

  27. What Attacks Does S-BGP Not Prevent? • Message suppression:Failure to advertise route withdrawal • Replay attacks:Premature re-advertisement of withdrawn routes • Data plane security:Erroneous traffic forwarding, bogus traffic generation, etc. (not really a BGP issue)

More Related