LOBSTER: Overview. LOBSTER: Large Scale Monitoring for Broadband Internet Infrastructure

Size: px

Start display at page:

Download "LOBSTER: Overview. LOBSTER: Large Scale Monitoring for Broadband Internet Infrastructure"

Elijah Brooks
10 years ago
Views:

1 LOBSTER: Overview LOBSTER: Large Scale Monitoring for Broadband Internet Infrastructure Herbert Bos* Department of Computer Science Vrije Universiteit Amsterdam Herbert Bos, * slides VU, [email protected] adapted from an earlier version by Evangelos Markatos ICS Forth 1

2 Roadmap of the Talk Objective Motivation State-of-the-art Challenges Herbert Bos, VU, 2

3 Objective To develop an advanced European Infrastructure for Network Traffic Monitoring Herbert Bos, VU, 3

4 Why? We have a poor understanding of several aspects the Internet such as Traffic characterization: What % of the traffic goes to KaZaa? Difficult to answer because the available tools work mostly for applications that use static ports, while KaZaa uses dynamic ports Security early warning systems Are there any new worms on the loose? Can we automatically identify them before they spread? Herbert Bos, VU, [email protected] 4

Difficult to answer because the available tools work mostly for applications that use static ports, while

5 Why Do We Need It? More Security The expansion of CODE-RED On Jul 19, 2001, 00:00 24 hours later 350,000 infected computers Safety Intrusion Detection DoS attack detection Worms Security vulnerabilities Poorly administered home computers Widespread use of p2p systems worms/viruses/cyberattacks Herbert Bos, VU, 5

350,000 infected computers Safety Intrusion Detection DoS attack detection Worms

6 Why Do We Need It? More Security Safety The expansion of SAPPHIRE WORM On Jan 25, 2003, 05:29 30 minutes later 74,000 victims doubled every 8.5 seconds even in Greenland Intrusion Detection DoS attack detection Worms Security vulnerabilities Poorly administered home computers Widespread use of p2p systems worms/viruses/cyberattacks Herbert Bos, VU, 6

7 Why Do We Need It? More Security Denial-of-Service attacks sometime happen accidentally combination of Microsoft software features and misconfigurations was essentially causing a slowly-paced massive distributed denial of service (DDoS) attack on the root name server system kc Claffy Herbert Bos, VU, [email protected] 7

of Microsoft software features and misconfigurations was essentially causing a

8 Why Do We Need It? Performance Billing - Management User: Why is my application so slow? Who is to blame? Local LAN? Remote LAN? WAN? Administrator: which applications consume most of the traffic in my network? Web master: What is the latency of my web server as perceived by my clients? Herbert Bos, VU, [email protected] 8

9 Why Is It Difficult? It is a moving target It is not your father s Internet Network Monitoring tools were developed mostly for slow networks Mbps (not Gbps) for traffic engineering/qos not all packets needed sampling is fine no payload inspection Herbert Bos, VU, [email protected] 9

Monitoring tools were developed mostly for slow networks Mbps (not

10 What is the state-ofthe-art? Flow-level statistics: Netflow, IPFIX, Provide traffic summary Not easy for intrusion detection, security, p2p traffic Active Measurements provide good metrics: One-way latency, bandwidth, error rate, etc. Not easy for traffic characterization/billing, security applications Passive traffic collection at NLANR Mostly used for off-line analysis Not clear whether it focuses on real-time securityrelated problems Herbert Bos, VU, 10

Active Measurements provide good metrics: One-way latency, bandwidth, error rate, etc.

11 What is our proposal? European Infrastructure of network traffic monitors Based on Passive monitoring: Collect all data (headers, payloads, timestamps) These monitors are appropriate for most monitoring applications, such as: Traffic characterization: What % of my traffic goes to KaZaa? Security - early warning systems Identify when a new worm starts to spread Herbert Bos, VU, [email protected] 11

(headers, payloads, timestamps) These monitors are appropriate for most monitoring applications,

12 What are we going to do with it? Real-time applications Traffic characterization Early-warning systems Worm spread and containment Off-line processing... Gathering of packet traces Processing of the traces to identify Trends, security breaches, internet models, etc. Herbert Bos, VU, 12

spread and containment Off-line processing.

13 Challenges I Privacy: protect the privacy of the end user while being able to extract useful information from the traces Anonymize the packets on the monitoring card: In hardware (co-processor/fpga) Driven by user policies Users define which data will be anonymized using» SiSaL: Scripting Sanitization Language Herbert Bos, VU, [email protected] 13

hardware (co-processor/fpga) Driven by user policies Users define which data will be

14 Challenges II Speed: We can probably do it at 2.5 Gbps Can we do it at 10Gbps? 40 Gbps? 100 Gbps? Need to use special-purpose cards: SCAMPI monitoring adapter Co-processor-based cards from Endace Herbert Bos, VU, 14

15 LOBSTER: Overview LOBSTER: Large Scale Monitoring for Broadband Internet Infrastructure Herbert Bos Department of Computer Science Vrije Universiteit Amsterdam Herbert Bos, VU, 15

How To Monitor Network Traffic On A Network With A Network Monitor

How To Monitor Network Traffic On A Network With A Network Monitor Network Monitoring for Performance and Security The SCAMPI and LOBSTER projects Kostas Anagnostakis Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) Crete, Greece