Transcript Linux Implementation of P2P Detection and Traffic Shaping

Experiences in Deploying Machines
Registration and Integrated Linux
Firewall with Traffic Shaper for Large
Campus Network
Kasom Koth-arsa1, Surasak Sanguanpong2, Pirawat Watanpongse2,
Surachai Chitpinityon3 , Chalermpol Chatampan3
{Kasom.K, Surasak.S, Pirawat.W, Surachai.Ch, cpccpc}@ku.ac.th
1Engineering
2Department
Computer Center, Faculty of Engineering
of Computer Engineering, Faculty of Engineering
3Office of Computer Services
Kasetsart University
APAN, Xi’an, Network Security, 29th August 2007
This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand
1
Kasetsart University


Established in 1943 A.D.
7 campuses with ~43,000
students, ~9600 academic
and supported staffs
2
NontriNet Quick Facts


University Network - NontriNet
41,992 MAC addresses (As of 2007/08/28)
Internet
8,852 Clients (Personal, Wired) JGN
TIEN2
45 Mbps
155 Mbps 630 Mbps
 3,269 Clients (Service, Wired)
ThaiSARN
UniNet
 29,342 Clients (Wireless)
1 Gbps
1 Gbps
1 Gbps (backup)
 495 Servers
Bangkhen
 34 misc. devices
2 Mbps
34 Mbps

10 GigE
10 GigE

Avg. In/out Traffic

550/490 Mbps
34 Mbps
34 Mbps
SakonNakhon
Supan Buri
SriRacha
Kampaengsaen
3
Obstacles & Opportunities

Large number of hosts


Non-productive bandwidth usage



Hard to keep track
P2P file sharing
QoS issues
Security issues
4
Special Requirements





Fully-integrated information database
Low cost
Customizable
Extensible
Scalable
5
Our Designed Features


Web-based Machines Registration
Linux Firewall & Traffic Shaper extension
6
SMART
(Simple Machine Address Registration Tool)




Mandatory Web-based Machines Registration
Registration Enforcement Agent: The Overlord
Centralized Database: Command Center
Distributed Data Entry: the Interface
7
SMART: Architecture Diagram
Statistics
Overlord
Policies
Detection Rules
Command-Center
Observer
Detected Incident
Sniffed Packets
Target Subnetwork
Sniffed Packets
Injected Packets (TCP hijacking)
8
Command Center
Command-Center
Database Manager
Detection
Rules
Overlords,
Observers
Network
Anomaly
Statistics
Logs
Documents
Communicator
Users
Web Interface
MAC
Policy
Administrators
Users
Policies
Overlord
Statistics
Detection Rules
Observer
Detected Incident
9
Overlord (TCP Hijack)
Policies
Command Center
Overlord
Communicator
Statistics
Table of MACs’
Policy + Statistics
Policy Checker
Target Subnetwork
Sniffed Packets
Packet Sniffer
Injected Packets (TCP hijacking)
Packet Injector
10
Observer
Observer
Detection Rules
Command Center
Communicator
Detected Incident
Table of Detection
Rules
Target Subnetwork
Pattern Matcher
Packet Sniffer
Sniffed Packets
11
Linux Firewall & Traffic Shaper
Extension




Intelligent Master Controller
User-friendly configuration interface
Automatic egress SYN-flood/P2P blocking
Per-host traffic shaping
12
Mechanism





Use Linux server as a bridge
Traffic classification through iptables
Traffic control through tc
Use IPP2P and our in-house daemon to identify
P2P traffic
Use our in-house daemon to detect some
problematic network pattern
13
Hardware

Dell Power Edge 2900
Xeon 5160 Dual core(3.0GHz)
 1 GB of RAM
 160 GB SATA hard disk
 2 x SUN 10 Gigabit Ethernet Controller PCI
Express Card (SR module)

14
Software






Linux 2.6.18-8.1.8.el5 (CentOS’s stocked kernel)
on CentOS 5 (64 bit)
bridge-utils
ebtables
iptables
IPP2P
Our in-house developed daemon for
automatically adjust the shaping/blocking policy.
15
UniNet
NECTEC
Gateway
Router
(OSPF/BGP)
10 GigE
Traffic Shaper/
Firewall
(Bridge)
10 GigE
Gigabit Ethernet Links
Simplified Network Diagram
Core Router
(OSPF)
10 GigE
Bypass/failover path for IPv4,
main connection for IPv6 and multicast IPv4.
16
How we shape the traffic



Use iptables’ ‘MARK’ target to mark the class of
traffic for every packets
Hierarchical Token Bucket (HTB) as packet
shaper
Stochastic Fairness Queuing (SFQ) as queuing
algorithm
17
Traffic Classification


Port-based
Content based (L7)


using IPP2P through iptables
Automatically adjust iptables’ rules using our
daemon
18
Sample Reports - Bandwidth
Incoming Traffic
Stop Shaping
Outgoing Traffic
Restart Shaping
Turn off shaping during Friday morning to Monday morning
19
Sample Reports - Packet
Incoming Traffic
Stop Shaping
Outgoing Traffic
Restart Shaping
Turn off shaping during Friday morning to Monday morning
20
Sample Reports - SYN Flood Blocking
Bandwidth
Real Outgoing Traffic
Packet
Attempt Outgoing Traffic
A host infected with an Internet worm send a large amount of SYN packets at 9:19.
21
Sample Reports - Shaping by Classes
Traffic shaping was turned off during 21:21 to 21:53.
22
Sample Reports - Shaping by Classes
P2P Traffic
allow in the
night.
No P2P
allow
P2P allow in
the night
23
Misc. reports
Last seen IP
matrix
Detected
hosts
Number of last
seen hosts
24
Conclusions

Complete control of unregistered machines




Prevent unauthorized/unregistered net usage
Automatic co-operate between registration and
firewall/traffic shaping
Complete control of P2P traffics under desired
policy (class, usage period, bandwidth, etc.)
Prevent our machines from becoming a source
of SYN-flood attack
25
Conclusions (cont.)


Free up NOC officer’s time
Real-world, low-cost, high-efficiency
implementation (currently online)
26
References






The Official BitTorrent Home Page
http://www.bittorrent.org/
Kazaa http://www.kazaa.com/
Netfilter/iptables project homepage
http://www.netfilter.org/
Official IPP2P homepage http://www.ipp2p.org/
HTB home
http://luxik.cdi.cz/~devik/qos/htb/
SFQ queuing discipline
http://www.opalsoft.net/qos/DS-25.htm
27
Questions?
28
Thank you
29