Transcript L19

Network Monitoring and
Security
Nick Feamster
CS 4251
Spring 2008
Network Measurement
Passive vs. Active Measurement
• Passive Measurement: Collection of packets, flow
statistics of traffic that is already flowing on the network
– Packet traces
– Flow statistics
– Application-level logs
• Active Measurement: Inject “probing” traffic to measure
various characteristics
– Traceroute
– Ping
– Application-level probes (e.g., Web downloads)
Billing for Internet Usage
• 95th Percentile billing
– Customer network pays for “committed information
rate” (CIR)
– Throughput measured every 5 minutes (typically with
SNMP; flow statistics also can be used for billing)
– Customer billed based on 95th percentile
Passive Traffic Data Measurement
• SNMP byte/packet counts: everywhere
• Packet monitoring: selected locations
• Flow monitoring: typically at edges (if possible)
– Direct computation of the traffic matrix
– Input to denial-of-service attack detection
• Deep Packet Inspection: also at edge, where
possible
Simple Network Management Protocol
• Management Information
Base (MIB)
– Information store
– Unique variables named by
OIDs
– Accessed with SNMP
• Specific MIBs for
byte/packet counts (per link)
SNMP
Manager
DB
Agent
Managed
Objects
SNMP (Passive)
• Advantage: ubiquitous
– Supported on all networking equipment
– Multiple products for polling and analyzing data
• Disadvantages: see Lecture 6
– Coarse granularity
– Cannot express complex queries on the data
– Unreliable delivery of the data using UDP
• Utility
– Link utilization (billing)
– Traffic matrix inference
Packet-level Monitoring
• Passive monitoring to collect full packet contents
(or at least headers)
• Advantages: lots of detailed information
– Precise tming information
– Information in packet headers
• Disadvantages: overhead
– Hard to keep up with high-speed links
– Often requires a separate monitoring device
Full Packet Capture (Passive)
Example: Georgia Tech OC3Mon
• Rack-mounted PC
• Optical splitter
• Data Acquisition and
Generation (DAG) card
Source: endace.com
What is a flow?
•
•
•
•
•
•
•
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol type
TOS byte (DSCP)
Input logical interface (ifIndex)
Cisco Netflow
• Basic output: “Flow record”
– Most common version is v5
• Current version (9) is being standardized in the IETF
(template-based)
– More flexible record format
– Much easier to add new flow record types
Core Network
Collection and
Aggregation
Approximately 1500 bytes
20-50 flow records
Sent more frequently if traffic increases
Collector
(PC)
Flow Record Contents
Basic information about the flow…
•
•
•
•
Source and Destination, IP address and port
Packet and byte counts
Start and end times
ToS, TCP flags
…plus, information related to routing
• Next-hop IP address
• Source and destination AS
• Source and destination prefix
Aggregating Packets into Flows
flow 1
flow 2
flow 3
• Criteria 1: Set of packets that “belong together”
– Source/destination IP addresses and port numbers
– Same protocol, ToS bits, …
– Same input/output interfaces at a router (if known)
• Criteria 2: Packets that are “close” together in time
– Maximum inter-packet spacing (e.g., 15 sec, 30 sec)
– Example: flows 2 and 4 are different flows due to time
flow 4
Reducing Measurement Overhead
• Filtering: on interface
– destination prefix for a customer
– port number for an application (e.g., 80 for Web)
• Sampling: before insertion into flow cache
– Random, deterministic, or hash-based sampling
– 1-out-of-n or stratified based on packet/flow size
– Two types: packet-level and flow-level
• Aggregation: after cache eviction
– packets/flows with same next-hop AS
– packets/flows destined to a particular service
Packet Sampling
• Packet sampling before flow creation (Sampled Netflow)
– 1-out-of-m sampling of individual packets (e.g., m=100)
– Create of flow records over the sampled packets
• Reducing overhead
– Avoid per-packet overhead on (m-1)/m packets
– Avoid creating records for a large number of small flows
• Increasing overhead (in some cases)
– May split some long transfers into multiple flow records
– … due to larger time gaps between successive packets
time
not sampled
timeout
two flows
Sampling: Flow-Level Sampling
• Sampling of flow records evicted from flow cache
– When evicting flows from table or when analyzing flows
• Stratified sampling to put weight on “heavy” flows
– Select all long flows and sample the short flows
• Reduces the number of flow records
– Still measures the vast majority of the traffic
Flow
Flow
Flow
Flow
Flow
Flow
1,
2,
3,
4,
5,
6,
40 bytes
15580 bytes
8196 bytes
5350789 bytes
532 bytes
7432 bytes
sample with 0.1% probability
sample with 100% probability
sample with 10% probability
Two Main Approaches
• Packet-level Monitoring
– Keep packet-level statistics
– Examine (and potentially, log) variety of packet-level
statistics. Essentially, anything in the packet.
– Timing
• Flow-level Monitoring
– Monitor packet-by-packet (though sometimes
sampled)
– Keep aggregate statistics on a flow
Packet Capture on High-Speed Links
Example: Georgia Tech “OC3Mon”
• Rack-mounted PC
• Optical splitter
• Data Acquisition and
Generation (DAG) card
Source: endace.com
Characteristics of Packet Capture
• Allows inpsection on every packet on 10G links
• Disadvantages
– Costly
– Requires splitting optical fibers
– Must be able to filter/store data
Routing: Monitoring and Security
S-BGP
• Address-based PKI: validate signatures
– Authentication of
• ownership for IP address blocks,
• AS number,
• an AS's identity, and
• a BGP router's identity
– Use existing infrastructure (Internet registries etc.)
– Routing origination is digitally signed
– BGP updates are digitally signed
􀂄
• Route attestations: A new, optional, BGP transitive path attribute
– carries digital signatures covering the routing information in updates
Attestations: Update Format
BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI
Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
Route
Attestations
Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
Owning Org, NLRI, first Hop AS, SIG
Address
Attestation
• Address attestation is usually omitted
Question: Why are there multiple route attestations?
Attestation Format: More Details
• Issuer: an AS
• Certificate ID: for joining with certificate
information received from third party
• AS Path
• Validity: how long is this routing update good?
Reducing Message Overhead
• Problem: How to distribute certificates,
revocation lists, address attestations?
– Note: This data is quite redundant across updates
• Solution: use servers for these data items
– replicate for redundancy & scalability
– locate at NAPs for direct (non-routed) access
– download options:
• whole certificate/AA/CRL databases
• queries for specific certificates/AAs/CRLs
S-BGP Optimizations
• Handling peak loads (e.g., BGP session reset)
– Extra CPUs
– Deferred verification
– Background verification of alternate routes
• Observation: Most updates caused by “flapping”
– Cache previously validated routes
Practical Problems with S-BGP
•
Requires Public-Key Infrastructure
•
Lots of digital signatures to calculate and verify.
– Message overhead
– CPU overhead
•
Calculation expense is greatest when topology is changing
– Caching can help
•
Route aggregation is problematic (maybe that’s OK)
•
Secure route withdrawals when link or node fails?
•
Address ownership data out of date
•
Deployment
What Attacks Does S-BGP Not Prevent?
• Message suppression: Failure to advertise
route withdrawal
• Replay attacks: Premature re-advertisement of
withdrawn routes
• Data plane security: Erroneous traffic
forwarding, bogus traffic generation, etc. (not
really a BGP issue)