Linux Implementation of P2P Detection and Traffic Shaping
Download
Report
Transcript Linux Implementation of P2P Detection and Traffic Shaping
Experiences in Deploying Machines
Registration and Integrated Linux
Firewall with Traffic Shaper for Large
Campus Network
Kasom Koth-arsa1, Surasak Sanguanpong2, Pirawat Watanpongse2,
Surachai Chitpinityon3 , Chalermpol Chatampan3
{Kasom.K, Surasak.S, Pirawat.W, Surachai.Ch, cpccpc}@ku.ac.th
1Engineering
2Department
Computer Center, Faculty of Engineering
of Computer Engineering, Faculty of Engineering
3Office of Computer Services
Kasetsart University
APAN, Xi’an, Network Security, 29th August 2007
This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand
1
Kasetsart University
Established in 1943 A.D.
7 campuses with ~43,000
students, ~9600 academic
and supported staffs
2
NontriNet Quick Facts
University Network - NontriNet
41,992 MAC addresses (As of 2007/08/28)
Internet
8,852 Clients (Personal, Wired) JGN
TIEN2
45 Mbps
155 Mbps 630 Mbps
3,269 Clients (Service, Wired)
ThaiSARN
UniNet
29,342 Clients (Wireless)
1 Gbps
1 Gbps
1 Gbps (backup)
495 Servers
Bangkhen
34 misc. devices
2 Mbps
34 Mbps
10 GigE
10 GigE
Avg. In/out Traffic
550/490 Mbps
34 Mbps
34 Mbps
SakonNakhon
Supan Buri
SriRacha
Kampaengsaen
3
Obstacles & Opportunities
Large number of hosts
Non-productive bandwidth usage
Hard to keep track
P2P file sharing
QoS issues
Security issues
4
Special Requirements
Fully-integrated information database
Low cost
Customizable
Extensible
Scalable
5
Our Designed Features
Web-based Machines Registration
Linux Firewall & Traffic Shaper extension
6
SMART
(Simple Machine Address Registration Tool)
Mandatory Web-based Machines Registration
Registration Enforcement Agent: The Overlord
Centralized Database: Command Center
Distributed Data Entry: the Interface
7
SMART: Architecture Diagram
Statistics
Overlord
Policies
Detection Rules
Command-Center
Observer
Detected Incident
Sniffed Packets
Target Subnetwork
Sniffed Packets
Injected Packets (TCP hijacking)
8
Command Center
Command-Center
Database Manager
Detection
Rules
Overlords,
Observers
Network
Anomaly
Statistics
Logs
Documents
Communicator
Users
Web Interface
MAC
Policy
Administrators
Users
Policies
Overlord
Statistics
Detection Rules
Observer
Detected Incident
9
Overlord (TCP Hijack)
Policies
Command Center
Overlord
Communicator
Statistics
Table of MACs’
Policy + Statistics
Policy Checker
Target Subnetwork
Sniffed Packets
Packet Sniffer
Injected Packets (TCP hijacking)
Packet Injector
10
Observer
Observer
Detection Rules
Command Center
Communicator
Detected Incident
Table of Detection
Rules
Target Subnetwork
Pattern Matcher
Packet Sniffer
Sniffed Packets
11
Linux Firewall & Traffic Shaper
Extension
Intelligent Master Controller
User-friendly configuration interface
Automatic egress SYN-flood/P2P blocking
Per-host traffic shaping
12
Mechanism
Use Linux server as a bridge
Traffic classification through iptables
Traffic control through tc
Use IPP2P and our in-house daemon to identify
P2P traffic
Use our in-house daemon to detect some
problematic network pattern
13
Hardware
Dell Power Edge 2900
Xeon 5160 Dual core(3.0GHz)
1 GB of RAM
160 GB SATA hard disk
2 x SUN 10 Gigabit Ethernet Controller PCI
Express Card (SR module)
14
Software
Linux 2.6.18-8.1.8.el5 (CentOS’s stocked kernel)
on CentOS 5 (64 bit)
bridge-utils
ebtables
iptables
IPP2P
Our in-house developed daemon for
automatically adjust the shaping/blocking policy.
15
UniNet
NECTEC
Gateway
Router
(OSPF/BGP)
10 GigE
Traffic Shaper/
Firewall
(Bridge)
10 GigE
Gigabit Ethernet Links
Simplified Network Diagram
Core Router
(OSPF)
10 GigE
Bypass/failover path for IPv4,
main connection for IPv6 and multicast IPv4.
16
How we shape the traffic
Use iptables’ ‘MARK’ target to mark the class of
traffic for every packets
Hierarchical Token Bucket (HTB) as packet
shaper
Stochastic Fairness Queuing (SFQ) as queuing
algorithm
17
Traffic Classification
Port-based
Content based (L7)
using IPP2P through iptables
Automatically adjust iptables’ rules using our
daemon
18
Sample Reports - Bandwidth
Incoming Traffic
Stop Shaping
Outgoing Traffic
Restart Shaping
Turn off shaping during Friday morning to Monday morning
19
Sample Reports - Packet
Incoming Traffic
Stop Shaping
Outgoing Traffic
Restart Shaping
Turn off shaping during Friday morning to Monday morning
20
Sample Reports - SYN Flood Blocking
Bandwidth
Real Outgoing Traffic
Packet
Attempt Outgoing Traffic
A host infected with an Internet worm send a large amount of SYN packets at 9:19.
21
Sample Reports - Shaping by Classes
Traffic shaping was turned off during 21:21 to 21:53.
22
Sample Reports - Shaping by Classes
P2P Traffic
allow in the
night.
No P2P
allow
P2P allow in
the night
23
Misc. reports
Last seen IP
matrix
Detected
hosts
Number of last
seen hosts
24
Conclusions
Complete control of unregistered machines
Prevent unauthorized/unregistered net usage
Automatic co-operate between registration and
firewall/traffic shaping
Complete control of P2P traffics under desired
policy (class, usage period, bandwidth, etc.)
Prevent our machines from becoming a source
of SYN-flood attack
25
Conclusions (cont.)
Free up NOC officer’s time
Real-world, low-cost, high-efficiency
implementation (currently online)
26
References
The Official BitTorrent Home Page
http://www.bittorrent.org/
Kazaa http://www.kazaa.com/
Netfilter/iptables project homepage
http://www.netfilter.org/
Official IPP2P homepage http://www.ipp2p.org/
HTB home
http://luxik.cdi.cz/~devik/qos/htb/
SFQ queuing discipline
http://www.opalsoft.net/qos/DS-25.htm
27
Questions?
28
Thank you
29