Monitoring Cloud Services using Flow-Based Measurements. Idilio Drago
|
|
- Baldric Warner
- 8 years ago
- Views:
Transcription
1 Monitoring Cloud Services using Flow-Based Measurements Idilio Drago
2 Outline 1 Measurements: Why? What? How? Flow monitoring: Basic concepts Architecture Measurement artifacts Applications: Threat detection Performance monitoring
3 Why measure the network? 2 Traffic engineering e.g., understand, predict and plan the behavior of the network Accounting e.g., how much resources has been used per user? Network security e.g., which machines are compromised in the network? Performance monitoring e.g., why is the application slow? etc.
4 What to measure? 3 Delay (one-way, round-trip) Delay variation (jitter) Throughput (average, peak) Usage per protocol and application Packet loss... Direct measurements vs indirect inference
5 How to measure? 4 Active measurement Inject traffic on the network Examples: Ping, Traceroute Passive measurement Don t generate traffic, but only observe production traffic Packet capture, log files etc
6 Packet measurements: Challenges and limitations 5 Capture: High-speed packet processing without packet loss Recording: 10 Gb/s (duplex) 200 TB/day 100 disks/day Required storage (TB) Gbps campus /03 23/03 06/04 20/04 04/05 18/05 Time (days) Retrieval: Get only some packets from a pile of data Privacy: Capture on the network is privacy-invasive
7 Packet measurements: Challenges and limitations 5 Capture: High-speed packet processing without packet loss Recording: 10 Gb/s (duplex) 200 TB/day 100 disk/day Required storage (TB) Gbps campus Invasive and prohibitive costs. 600 Long-term 450 archival is unfeasible! /03 23/03 06/04 20/04 04/05 18/05 Time (days) Retrieval: Get only some packets from a pile of data Privacy: Capture on the network is privacy-invasive
8 Overcoming packet measurement limitations 6 Make capture and processing faster: Move to kernel space Dedicated hardware Distributed collection & processing Capture less information: Truncate packets collect only headers, not payload Ignore some packets (sampling & filtering) Ignore individual packets (aggregation)
9 Make capture and processing faster 7 User Space Copying OS Kernel Space Copying Driver... packet rings DMA NIC (HW)... RSS queues Standard Linux network stack 1 SW: Reduce the number of copies, parallelism up to user space etc HW: Offload processing to lower layers (HW) 1 J. L. Garcia-Dorado et. al. High-Performance Network Traffic Processing Systems Using Commodity Hardware.
10 Capture less information 8 Lossy compression used by Tstat and the TimeMachine: Trim flows 1 i.e., record first X B per flow 5 10% of volume, 90 95% of full flows e.g., 450 TB/month 45 TB 1 G. Maier et. al. Enriching Network Security Analysis with Time Travel. In: SIGCOMM 08.
11 Aggregation: Flow export 9 Export flow records to summarize a sequence of packets Lots of other proprietary protocols, export tools (e.g., Tstat) etc st paper on flow measurement 2004 NetFlow v NetFlow-Lite 1990 IETF IA WG 1996 IETF RTFM WG 1999 RTFM 1996 NetFlow patented by Cisco 2002 NetFlow v Flexible NetFlow 2013 IPFIX Internet Standard 2004 IETF IPFIX WG st IPFIX specification
12 Typical flow monitoring setup 10 IPFIX reference architecture Packets Flow Export Protocol Packet Observation Flow Metering & Export Data Collection Data Analysis NetFlow is used for both export protocols and flow meters by Cisco
13 Example of a practical deployment 11 Packets Flow export protocol File, DBMS, etc. Flow probe 1 Flow collector 1 Automated analysis (Appliance) Forwarding device Internet Flow collector 2 Manual analysis Production traffic
14 Flow metering & exporting 12 Packets coming into the observation point Packet capturing Time-stamping Metering process Sampling Filtering Flow cache Exporting process Flow records Why time-stamping should be done first?
15 Flow cache functioning 13 Upon packet arrival: Calculate a hash based on the flow key Check whether hash exists in flow cache: Yes Update a flow cache entry No Create a new flow cache entry Flow cache entries are expired based on: Timeouts: active, idle Natural expiration e.g., observation of a TCP FIN or RST packet... Analysis applications receive flow records
16 What information is exported? 14 Example: IPFIX Information Elements (IE) Link Ethernet Network IP Transport TCP, UDP Application HTTP, DNS, etc. Common IEs Other protocols support specific fields and layers (e.g., NetFlow v5) Flow keys and exported fields are implementation-specific
17 Common IPFIX Information Elements 15 ID Name Description 152 flowstartmilliseconds Timestamp of the flow s first packet. 153 flowendmilliseconds Timestamp of the flow s last packet. 8 sourceipv4address IPv4 source address in the packet header. 12 destinationipv4address IPv4 destination address in the packet header. 7 sourcetransportport Source port in the transport header. 11 destinationtransportport Destination port in the transport header. 4 protocolidentifier IP protocol number in the packet header. 2 packetdeltacount Number of packets for the flow. 1 octetdeltacount Number of octets for the flow. Considering metrics such as delay, usage per protocol and packet loss Is flow-based monitoring direct or indirect?
18 Storage volume 16 Original traffic: 2.1 TB Sampling rate Protocol Exported Storage Reduction 1:1 NetFlow v5 2.1 GB MB 2,301 x 1:1 2.5 GB 1.0 GB 2,100 x 1: GB MB 4,169 x NetFlow v9 1: MB MB 20,212 x 1: MB 20.4 MB 102,941 x 1:1 IPFIX 3.0 GB MB 2,560 x Exported volumes on this table: NetFlow v5 usual fields NetFlow v9 NetFlow v5 + templates IPFIX NetFlow v5 + templates + 64 bit time resolution Compressed formats implemented by nfdump
19 Storage volume 16 Original traffic: 2.1 TB Sampling rate Protocol Exported Storage Reduction 1:1 NetFlow v5 2.1 GB MB 2,301 x 1:1 2.5 GB 1.0 GB 2,100 x 1: GB MB 4,169 x NetFlow v9 1: MB MB 20,212 x 1: MB 20.4 MB 102,941 x 1:1 IPFIX 3.0 GB MB 2,560 x Does it solve the scalability problems of packet recording? Campus example: 450 TB/month 180 GB/month of flow CESNET: 125 SURFnet: 16 GB/day using 1:100 packet sampling
20 How reliable are flow data? 17 Do the exported data reflect the network traffic? We evaluated a set of export devices from popular models: No. Model Modules Software version 1. Cisco Catalyst 6500 WS-SUP720-3B (PFC3B, MSFC3) IOS 12.2(33)SXI5 2. Cisco Catalyst 6500 WS-SUP720-3B (PFC3B, MSFC3) IOS 12.2(33)SXI2a 3. Cisco Catalyst 6500 VS-SUP2T-10G-XL (PFC4XL, MSFC5) + WS-X G IOS 15.0(1)SY1 4. Cisco Catalyst 7600 RSP720-3C-GE (PFC3C, MSFC4) IOS 15.2(1)S 5. Juniper T1600 MultiServices PIC 500 JUNOS 10.4R INVEA-TECH FlowMon
21 Measurement methodology 18 Cisco Catalyst 6500 Control server Internet NetFlow v9 SNMP NetFlow v9 SNMP pcap pcap Sub-network INVEA-TECH FlowMon Probe Legend: Production traffic Mirrored traffic Measurements Test computer All devices deployed in production networks
22 Artifact 1: Overloaded device 19 Records / 100 ms (k) Flow records Flow learn failures Packets / s (k) 0 07:20 07:30 07:40 07:50 0 Create a new flow cache entry What if there is hash collisions? Cisco Catalyst 6500: Flow learn failures Informed via SNMP only
23 Artifact 1: Overloaded device (p) Day Night Amplitude Frequency (Hz) Periods of times when no new flow is measured Flows are expired every 4 s, cleaning some table cells It artificially creates periodicity on the measurements!
24 Artifact 2: Flow record loss 21 Packets Flow export protocol File, DBMS, etc. Flow probe 1 Flow collector 1 Automated analysis (Appliance) Forwarding device Internet Flow collector 2 Manual analysis Production traffic Packet loss if monitored traffic is: > monitoring link bandwidth > storage/processing rate at the measurement host Critical when monitoring lots of small flows (when? why?)
25 Artifact 2: Flow record loss 22 Records / 100 ms (k) Flow records 0 09:00 09:10 09:20 09:30 Some protocols (e.g., NetFlow) and collectors trace loss of flow records Collector is overloaded (compressing and saving to disk) Non-periodic drops in flow record time series
26 Artifact 2: Flow record loss 22 Records / 100 ms (k) 1.2 Flow records Artifacts might render flow data unusable! 0.3 e.g., security, traffic profiling etc 0 09:00 09:10 09:20 09:30 Some protocols (e.g., NetFlow) and collectors trace loss of flow records Collector is overloaded (compressing and saving to disk) Non-periodic drops in flow record time series
27 Artifact 3: Can we rely on flow timestamps? 23 Goal: estimate delay using flow data Inject traffic using the test computer, compare the recorded times Possible sources of errors: Clocks not synchronized, link delay etc. Expectation: Those errors should be small and more of less constant
28 Artifact 3: Can we rely on flow timestamps? 24 1 Cisco Catalyst Dedicated probe CDF Difference (s) Difference (s) Reality: Difference of up to 1 s when exporting using NetFlow v9 Independent of the used flow exporter Can we use such data to measure delay? Why?
29 NetFlow v9 design flaw 25 NetFlow packet: Version Number Count sysuptime UNIX Secs sysuptime Time in milliseconds since this device was first booted. UNIX Secs Time in seconds since 0000 UTC 1970, at which the Export Packet leaves the Exporter.... sysuptime in msec at which FIRST_SWITCHED 22 4 the first packet of this Flow was switched f start =UNIX Secs+FIRST SWITCHED sysuptime What is wrong?
30 NetFlow v9 design flaw 26 Example: 2 Router boot time 01/01/ :00: UNIX Secs: Flow 1 starts at 01/01/ :00: Flow 2 starts at 01/01/ :00: ms later Flow 1 is exported at 01/01/ :00: Flow 2 is exported at 01/01/ :00: ms later f start =UNIX Secs+FIRST SWITCHED sysuptime f1 start = = OK! f2 start = = Oops! Collectors could fix it (see how in 1 ), but usually they don t! 2 B. Trammell et. al. Peeling away Timing Error in NetFlow Data. In: PAM 11.
31 Artifact 3: Dedicated probe 27 Difference (ms) Reference start time (s since experiment start) NetFlow v5, IPFIX etc. don t suffer from this problem The dedicated probe exports stable time, which slowly drifts This might be a problem if data from different exporters are jointly analyzed
32 Artifact 3: Catalyst NetFlow v5 28 Difference (ms) Reference start time (s since experiment start) All tested Catalyst 6500 present other time-related artifacts There is always a residual error of up to 60 ms!
33 Artifact 3: Catalyst NetFlow v5 28 Difference (ms) Precision is not 0 the number of digits your tools report! Reference start time (s since experiment start) All tested Catalyst 6500 present other time-related artifacts There is always a residual error of up to 60 ms!
34 Artifact 3: Catalyst NetFlow v5 28 Difference (ms) Measurement errors are common 0 and might lead to artifacts Reference start time (s since experiment start) All tested Catalyst 6500 present other time-related artifacts There is always a residual error of up to 60 ms!
35 Artifact 3: Catalyst NetFlow v5 28 Difference (ms) Calibration is essential 0 in any sound measurement study! Reference start time (s since experiment start) All tested Catalyst 6500 present other time-related artifacts There is always a residual error of up to 60 ms!
36 Analysis applications 29 Network security Performance monitoring Analyzes follow a similar pattern: Understand the target application or security threat Define flow information to be exported (i.e., keys and IE) Calibrate the environment Map flow data to meaningful performance metrics Validate the measurements!
37 Example 1: SSH brute-force attacks 30 Lots of machines have an SSH server Users are not careful with passwords Daily logs of any SSH server exposed to the Internet: sshd: pam_unix(sshd:auth): authentication failure; [...] rhost= user=root sshd: Failed password for root from port ssh2 sshd: Failed password for root from port ssh2 sshd: Failed password for root from port ssh2 sshd: Disconnecting: Too many authentication failures for root [preauth] sshd: PAM 2 more authentication failures; [...] rhost= user=root sshd: pam_unix(sshd:auth): authentication failure; [...] rhost= user=root... Can successful attempts be detected from flow data?
38 Example 1: SSH brute-force attacks 31 Attack phases: 3 Start End Scan Brute-force Compromise NetFlow v5 data during brute-force phase: Start Source Destination Flags Pkts :07: : :22...S. 1 03:09: : :22.AP.SF 12 03:09: : :22.AP.SF 12 03:09: : :22.AP.SF How to learn the signature of compromised machines? 3 R. Hofstede et. al. SSH Compromise Detection using NetFlow/IPFIX. In: ACM CCR.
39 Example 1: SSH brute-force attacks Scan Brute-force Compromise Packets per flow Time (s) Once you have signatures, find potential compromises More complex than the figure suggests e.g., active mitigation such asdenyhosts andfail2ban Still, this narrows down the search for compromised machines
40 Example 2: Is Dropbox off-line? 33 Scenario: Lots of users rely on Dropbox Some companies and universities outsource file storage to Dropbox The TI department wants to be informed about outages: To be proactive when there are problems To validate the QoS offered by Dropbox How to monitor Dropbox status from passive measurements?
41 How does Dropbox work? 34 Clear separation between storage and meta-data/client control Sub-domains identifying parts of the service sub-domain Data-center Description client-lb/clientx Dropbox Meta-data notifyx Dropbox Notifications api Dropbox API control www Dropbox Web servers d Dropbox Event logs dl Amazon Direct links dl-clientx Amazon Client storage dl-debugx Amazon Back-traces dl-web Amazon Web storage api-content Amazon API Storage HTTP/HTTPs in all functionalities
42 How does Dropbox work? 35 Notification Kept open Not encrypted Device ID Folder IDs Client control Login File hash Meta-data
43 Example 2: Is Dropbox off-line? 36 Connections (k) / min Abnormal Total Unhealthy 0 00:00 12:00 00:00 12:00 00:00 Time Surges on unidirectional flows (client to server) unhealthy traffic Attempts to reconnect to notification servers Likely only some clients have been affected
44 Example 3: Response times 37 New IE to report responsiveness of HTTP servers Web server latency =...? Flow exporter Client Server SYN Exporter to server latency SYN+ACK Client to exporter latency ACK GET /index.html Application latency Web server latency HTTP/ OK
45 Example 3: Response times Median latency (s) :00 13:00 14:00 15:00 16:00 17:00 18:00 Time (h) Debian mirrors at a campus ground truth for validation Peaks in latency mirrors synchronizing with upstream repositories Can we do similar analysis for external services?
46 Example 4: Unveiling bottlenecks on Dropbox 39 Application layer sequential ACKs Storage Amazon EC2 Retrieve vs. Store
47 Example 4: Unveiling bottlenecks on Dropbox 40 10M θ 1M Throughput (bits/s) 100k 10k Chunks 1k k 4k 16k 64k 256k 1M 4M 16M 64M 400M Upload (bytes) Storage throughput in campuses (42 days of monitoring) Time between first and last packet with payload in storage flows Most flows experience a low throughput
48 Example 4: Unveiling bottlenecks on Dropbox 40 10M θ 1M Throughput (bits/s) 100k 10k 1k Chunks k 4k 16k 64k 256k 1M 4M 16M 64M 400M Upload (bytes) Flows carrying 1 chunk Size 4 MB (Dropbox max chunks), RTT 100 ms Most of them finish in TCP slow-start
49 Example 4: Unveiling bottlenecks on Dropbox 40 10M θ 1M Throughput (bits/s) 100k 10k 1k Chunks k 4k 16k 64k 256k 1M 4M 16M 64M 400M Upload (bytes) Flows carrying several chunks Pause between chunks RTT and client/server reaction
50 Example 4: Unveiling bottlenecks on Dropbox 40 10M θ 1M Throughput (bits/s) 100k 10k Chunks 1k k 4k 16k 64k 256k 1M 4M 16M 64M 400M Upload (bytes) Flows carrying several chunks Transferring 100 chunks takes more than 30 s RTTs 10 s of inactivity
51 Example 4: Unveiling bottlenecks on Dropbox 40 10M θ 1M Throughput (bits/s) 100k 10k Chunks 1k k 4k 16k 64k 256k 1M 4M 16M 64M 400M Upload (bytes) Possible solutions Distributing servers Delaying acknowledgments Bundling chunk deployed sometime after our capture
52 Take away 41 Network-based monitoring of applications/threats has pros and cons: Scalable when compared to packet recording Vantage point view No client/server instrumentation Often requires inference and approximations Hard to keep the peace with protocols... Never trust in measurements blindly! Check for outliers, validate using different methods etc.
53 References 42 Some of these slides have been taken from Ramin Sadre and Rick Hofstede. Reading material: R. Hofstede, P. Celeda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, A. Pras. Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX. In: IEEE Communications Surveys & Tutorials. Vol. 16, No. 4, I. Drago, M. Mellia, M.M. Munafo, A. Sperotto, R. Sadre, A. Pras. Inside Dropbox: Understanding Personal Cloud Storage Services. In: IMC 12. R. Hofstede, I. Drago, A. Sperotto, R. Sadre, A. Pras. Measurement Artifacts in NetFlow Data. In: PAM 13. R. Hofstede, L. Hendriks, A. Sperotto, A. Pras. SSH Compromise Detection using NetFlow/IPFIX. In: ACM CCR, Vol. 44, No. 5, G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, F. Schneider. Enriching Network Security Analysis with Time Travel. In: SIGCOMM 08. B. Trammell, B. Tellenbach, D. Schatzmann, M. Burkhart. Peeling away Timing Error in NetFlow Data. In: PAM 11. J. L. Garcia-Dorado, F. Mata, J. Ramos, P. M. Santiago del Rio, V. Moreno, J. Aracil. High-Performance Network Traffic Processing Systems Using Commodity Hardware. In: Data Traffic Monitoring and Analysis V. Paxson. Strategies for Sound Internet Measurement. In: IMC 04.
54 Thanks! 43
Inside Dropbox: Understanding Personal Cloud Storage Services
Inside Dropbox: Understanding Personal Cloud Storage Services Idilio Drago Marco Mellia Maurizio M. Munafò Anna Sperotto Ramin Sadre Aiko Pras IRTF Vancouver Motivation and goals 1 Personal cloud storage
More informationHow To Write A Blog Post On Dropbox
Inside Dropbox: Understanding Personal Cloud Storage Services Idilio Drago Marco Mellia Maurizio M. Munafò Anna Sperotto Ramin Sadre Aiko Pras IMC 2012 Boston Motivation and goals 1/14 Personal cloud storage
More informationInternet Management and Measurements Measurements
Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?
More informationMonitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX
Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationHigh-Density Network Flow Monitoring
High-Density Network Flow Monitoring Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Viktor Puš CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic pus@cesnet.cz
More informationMeasurement Artifacts in NetFlow Data
Measurement Artifacts in NetFlow Data Rick Hofstede, Idilio Drago, Anna Sperotto, Ramin Sadre, Aiko Pras University of Twente Centre for Telematics and Information Technology Design and Analysis of Communications
More informationNETWORK monitoring approaches have been proposed. Flow Monitoring Explained: From Packet Capture to Data Analysis with.
1 Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto and Aiko Pras Abstract Flow
More informationAutonomous NetFlow Probe
Autonomous Ladislav Lhotka lhotka@cesnet.cz Martin Žádník xzadni00@stud.fit.vutbr.cz TF-CSIRT meeting, September 15, 2005 Outline 1 2 Specification Hardware Firmware Software 3 4 Short-term fixes Test
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationApplication Latency Monitoring using nprobe
Application Latency Monitoring using nprobe Luca Deri Problem Statement Users demand services measurements. Network boxes provide simple, aggregated network measurements. You cannot always
More informationNemea: Searching for Botnet Footprints
Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech
More informationInside Dropbox: Understanding Personal Cloud Storage Services
Inside Dropbox: Understanding Personal Cloud Storage Services Idilio Drago University of Twente i.drago@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl Marco Mellia Politecnico di Torino
More informationMonitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX
Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1, Matěj Grégr 2 and Pavel Čeleda1 1 CESNET, z.s.p.o., Zikova 4, 160 00 Prague, Czech Republic martin.elich@gmail.com,
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationViete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA
Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationConfiguring Flexible NetFlow
CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields
More informationPractical Experience with IPFIX Flow Collectors
Practical Experience with IPFIX Flow Collectors Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Abstract As the number of Internet applications grows, the number
More informationInside Dropbox: Understanding Personal Cloud Storage Services
Inside Dropbox: Understanding Personal Cloud Storage Services Corneliu Claudiu Prodescu School of Engineering and Sciences Jacobs University Bremen Campus Ring 1, 28759 Bremen, Germany Monday 22 nd April,
More informationIP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview
This module describes IP Service Level Agreements (SLAs). IP SLAs allows Cisco customers to analyze IP service levels for IP applications and services, to increase productivity, to lower operational costs,
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationInside Dropbox: Understanding Personal Cloud Storage Services
Inside Dropbox: Understanding Personal Cloud Storage Services Idilio Drago University of Twente i.drago@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl Marco Mellia Politecnico di Torino
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationInside Dropbox: Understanding Personal Cloud Storage Services
Inside Dropbox: Understanding Personal Cloud Storage Services Idilio Drago University of Twente i.drago@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl Marco Mellia Politecnico di Torino
More informationHow To Understand A Network Attack
Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationThe use of SNMP and other network management tools in UNINETT. Arne Øslebø arne.oslebo@uninett.no March 4, 2014
The use of SNMP and other network management tools in UNINETT Arne Øslebø arne.oslebo@uninett.no March 4, 2014 1 UNINETTs network GEANT 3 4 What is monitored? Link status Are all connections up? General
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationInfrastructure for active and passive measurements at 10Gbps and beyond
Infrastructure for active and passive measurements at 10Gbps and beyond Best Practice Document Produced by UNINETT led working group on network monitoring (UFS 142) Author: Arne Øslebø August 2014 1 TERENA
More informationIntroduction to Network Traffic Monitoring. Evangelos Markatos. FORTH-ICS markatos@ics.forth.gr
Introduction to Network Traffic Monitoring -ICS markatos@ics.forth.gr http://www.ics.forth.gr/~markatos Institute of Computer Science (ICS) Foundation for Research and Technology Hellas () Roadmap Motivation
More informationMonitoring high-speed networks using ntop. Luca Deri <deri@ntop.org>
Monitoring high-speed networks using ntop Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationOpen Source in Network Administration: the ntop Project
Open Source in Network Administration: the ntop Project Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:
More informationFlow-based detection of RDP brute-force attacks
Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer
More informationLimitations of Packet Measurement
Limitations of Packet Measurement Collect and process less information: Only collect packet headers, not payload Ignore single packets (aggregate) Ignore some packets (sampling) Make collection and processing
More informationCarrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable
Brocade Flow Optimizer Making SDN Consumable Business And IT Are Changing Like Never Before Changes in Application Type, Delivery and Consumption Public/Hybrid Cloud SaaS/PaaS Storage Users/ Machines Device
More informationCisco Wide Area Application Services (WAAS) Software Version 4.0
Cisco Wide Area Application Services () Software Version 4.0 Product Overview Cisco Wide Area Application Services () is a powerful application acceleration and WAN optimization solution that optimizes
More informationFrequently Asked Questions
Frequently Asked Questions 1. Q: What is the Network Data Tunnel? A: Network Data Tunnel (NDT) is a software-based solution that accelerates data transfer in point-to-point or point-to-multipoint network
More informationThe ntop Project: Open Source Network Monitoring
The ntop Project: Open Source Network Monitoring Luca Deri 1 Agenda 1. What can ntop do for me? 2. ntop and network security 3. Integration with commercial protocols 4. Embedding ntop 5. Work in
More informationEmulex and SevOne Provide Unparalleled Clarity for Enterprise Network Performance Management
DEPLOYMENT GUIDE Emulex and SevOne Provide Unparalleled Clarity for Enterprise Network Performance Management How to increase visibility by delivering un-sampled 10Gb/s NetFlow to SevOne NPM with EndaceFlow
More informationHUNTING ATTACKERS WITH NETWORK AUDIT TRAILS
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com Charles Herring cherring@lancope.com 1 CREATING THE AUDIT TRAIL 2 Creating the Trail Logging Provides user and application details
More informationPANDORA FMS NETWORK DEVICE MONITORING
NETWORK DEVICE MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS is able to monitor all network devices available on the marke such as Routers, Switches, Modems, Access points,
More informationBeyond Monitoring Root-Cause Analysis
WHITE PAPER With the introduction of NetFlow and similar flow-based technologies, solutions based on flow-based data have become the most popular methods of network monitoring. While effective, flow-based
More informationPANDORA FMS NETWORK DEVICES MONITORING
NETWORK DEVICES MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS can monitor all the network devices available in the market, like Routers, Switches, Modems, Access points,
More informationAttack and Defense Techniques
Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of
More informationHow To Understand Network Performance Monitoring And Performance Monitoring Tools
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors2/ind... 1 of 11 SNMP and Beyond: A Survey of Network Performance Monitoring Tools Paul Moceri, paul.moceri@gmail.com Abstract The growing
More informationTechnical Bulletin. Enabling Arista Advanced Monitoring. Overview
Technical Bulletin Enabling Arista Advanced Monitoring Overview Highlights: Independent observation networks are costly and can t keep pace with the production network speed increase EOS eapi allows programmatic
More informationCisco IOS Flexible NetFlow Command Reference
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationNetwork traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010
Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring
More informationOverview. Why use netflow? What is a flow? Deploying Netflow Performance Impact
Netflow 6/12/07 1 Overview Why use netflow? What is a flow? Deploying Netflow Performance Impact 2 Caveats Netflow is a brand name like Kleenex. It was developed by Cisco Juniper uses the term cflowd for
More informationA Review of the Measuring Platform
Measuring Platform Architecture Based on the IPFIX Standard Alžbeta Kleinová, Anton Baláž, Jana Trelová, Norbert Ádám Department of Computers and Informatics, Technical University of Košice Letná 9, 042
More informationThe Fundamentals of Intrusion Prevention System Testing
The Fundamentals of Intrusion Prevention System Testing New network-based Intrusion Prevention Systems (IPS) complement traditional security products to provide enterprises with unparalleled protection
More informationMonitoring Traffic manager
Monitoring Traffic manager eg Enterprise v6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be reproduced
More informationDatasheet iscsi Protocol
Protocol with DCB PROTOCOL PACKAGE Industry s premiere validation system for SAN technologies Overview Load DynamiX offers SCSI over TCP/IP transport () support to its existing powerful suite of file,
More informationPeeling Away Timing Error in NetFlow Data
Peeling Away Timing Error in NetFlow Data Brian Trammell, Bernhard Tellenbach, Dominik Schatzmann, and Martin Burkhart ETH Zurich, Switzerland Abstract. In this paper, we characterize, quantify, and correct
More informationHow To Monitor And Test An Ethernet Network On A Computer Or Network Card
3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel
More informationMeasuring Cloud Service Health Using NetFlow/IPFIX: The WikiLeaks Case
DOI 10.1007/s10922-013-9278-0 Measuring Cloud Service Health Using NetFlow/IPFIX: The WikiLeaks Case Idilio Drago Rick Hofstede Ramin Sadre Anna Sperotto Aiko Pras Received: 18 March 2012 / Revised: 11
More informationTransport Layer Protocols
Transport Layer Protocols Version. Transport layer performs two main tasks for the application layer by using the network layer. It provides end to end communication between two applications, and implements
More informationUnderstanding Slow Start
Chapter 1 Load Balancing 57 Understanding Slow Start When you configure a NetScaler to use a metric-based LB method such as Least Connections, Least Response Time, Least Bandwidth, Least Packets, or Custom
More informationCisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004
Cisco NetFlow TM Briefing Paper Release 2.2 Monday, 02 August 2004 Contents EXECUTIVE SUMMARY...3 THE PROBLEM...3 THE TRADITIONAL SOLUTIONS...4 COMPARISON WITH OTHER TECHNIQUES...6 CISCO NETFLOW OVERVIEW...7
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationHigh-Density Network Flow Monitoring
Petr Velan petr.velan@cesnet.cz High-Density Network Flow Monitoring IM2015 12 May 2015, Ottawa Motivation What is high-density flow monitoring? Monitor high traffic in as little rack units as possible
More information8. 網路流量管理 Network Traffic Management
8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error
More informationThe Effects of DDoS Attacks on Flow Monitoring Applications
The Effects of DDoS Attacks on Flow Monitoring Applications Ramin Sadre, Anna Sperotto, and Aiko Pras University of Twente Design and Analysis of Communication Systems The Netherlands {r.sadre, a.sperotto,
More informationPersonal Cloud Storage: Usage, Performance and Impact of Terminals
Personal Cloud Storage: Usage, Performance and Impact of Terminals Enrico Bocchi, Idilio Drago, Marco Mellia Politecnico di Torino name.surname@polito.it Abstract Personal cloud storage services such as
More informationNetwork Management Deployment Guide
Smart Business Architecture Borderless Networks for Midsized organizations Network Management Deployment Guide Revision: H1CY10 Cisco Smart Business Architecture Borderless Networks for Midsized organizations
More informationHP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide
HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with
More informationUKCMG Industry Forum November 2006
UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP
More informationThe ISP Column A monthly column on all things Internet
The ISP Column A monthly column on all things Internet Just How Good are You? Measuring Network Performance February 2003 Geoff Huston If you are involved in the operation of an IP network, a question
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationAn apparatus for P2P classification in Netflow traces
An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationLab 4.1.2 Characterizing Network Applications
Lab 4.1.2 Characterizing Network Applications Objective Device Designation Device Name Address Subnet Mask Discovery Server Business Services 172.17.1.1 255.255.0.0 R1 FC-CPE-1 Fa0/1 172.17.0.1 Fa0/0 10.0.0.1
More informationExperiences Deploying and Operating a Large-Scale Monitoring Infrastructure
1 Experiences Deploying and Operating a Large-Scale Monitoring Infrastructure 25 th NORDUnet conference Arne Øslebø arne.oslebo@uninett.no Outline Background and motivation Typical setup Deployment map
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationNetwork Monitoring and Traffic CSTNET, CNIC
Network Monitoring and Traffic Analysis in CSTNET Chunjing Han Aug. 2013 CSTNET, CNIC Topics 1. The background of network monitoring 2. Network monitoring protocols and related tools 3. Network monitoring
More informationSiteCelerate white paper
SiteCelerate white paper Arahe Solutions SITECELERATE OVERVIEW As enterprises increases their investment in Web applications, Portal and websites and as usage of these applications increase, performance
More informationCatalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Document ID: 70974 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram
More informationBackground. Personal cloud services are gaining popularity
Background Personal cloud services are gaining popularity Many providers enter the market. (e.g. Dropbox, Google, Microso
More informationUltraFlow -Cisco Netflow tools-
UltraFlow UltraFlow is an application for collecting and analysing Cisco Netflow data. It is written in Python, wxpython, Matplotlib, SQLite and the Python based Twisted network programming framework.
More informationNfSen Plugin Supporting The Virtual Network Monitoring
NfSen Plugin Supporting The Virtual Network Monitoring Vojtěch Krmíček krmicek@liberouter.org Pavel Čeleda celeda@ics.muni.cz Jiří Novotný novotny@cesnet.cz Part I Monitoring of Virtual Network Environments
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationHow To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)
Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.
More informationFrom Centralization to Distribution: A Comparison of File Sharing Protocols
From Centralization to Distribution: A Comparison of File Sharing Protocols Xu Wang, Teng Long and Alan Sussman Department of Computer Science, University of Maryland, College Park, MD, 20742 August, 2015
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationLife of a Packet CS 640, 2015-01-22
Life of a Packet CS 640, 2015-01-22 Outline Recap: building blocks Application to application communication Process to process communication Host to host communication Announcements Syllabus Should have
More information