Bitmap Algorithms for Counting Active Flows on High Speed Links. Elisa Jasinska jasinska@informatik.hu-berlin.de



Similar documents
Software-Defined Traffic Measurement with OpenSketch

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Scalable Prefix Matching for Internet Packet Forwarding

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

1 Introduction. Agenda Item: Work Item:

Network monitoring in high-speed links

Indexing Full Packet Capture Data With Flow

Configurable String Matching Hardware for Speeding up Intrusion Detection. Monther Aldwairi*, Thomas Conte, Paul Franzon

Integrated Traffic Monitoring

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

Stateful Firewalls. Hank and Foo

Securing IP Networks with Implementation of IPv6

IP Filter/Firewall Setup

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

1 Introduction. Agenda Item: Work Item:

IPv6 Intrusion Detection Research Project

1. Summary Recording triggered by SIP INFO Configurations on the phone How the SIP INFO works... 2

Packet Sniffing on Layer 2 Switched Local Area Networks

EMIST Network Traffic Digesting (NTD) Tool Manual (Version I)

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Chapter 8 Monitoring and Logging

Firewalls Overview and Best Practices. White Paper

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Network Monitoring. Sebastian Büttrich, NSRC / IT University of Copenhagen Last edit: February 2012, ICTP Trieste

FortKnox Personal Firewall

Hostname (DNS Resolvable) Network Objects

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Advanced Settings. Help Documentation

Building a better NetFlow

Network Security Algorithms

- Introduction to PIX/ASA Firewalls -

Computer Simulation of Denial of Service attack in Military Information Network using OPNET

Using SYN Flood Protection in SonicOS Enhanced

MULTI WAN TECHNICAL OVERVIEW

White Paper Increase Flexibility in Layer 2 Switches by Integrating Ethernet ASSP Functions Into FPGAs

Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Internet Packets. Forwarding Datagrams

Internet Services. Amcom. Support & Troubleshooting Guide

Chapter 7. Address Translation

Overview. Protocols. VPN and Firewalls

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Linux MDS Firewall Supplement

Voice Over IP Per Call Bandwidth Consumption

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Improving DNS performance using Stateless TCP in FreeBSD 9

ΕΠΛ 674: Εργαστήριο 5 Firewalls

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

LanFiltrator The "Reversed" Trojan. (Free Gobo 2) Security Through Hacking. Straight forward, no nonsense Security tool Tutorials.

Client Server Registration Protocol

Secure SCTP against DoS Attacks in Wireless Internet

IP Filter/Firewall Setup

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

An apparatus for P2P classification in Netflow traces

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

LUCOM GmbH * Ansbacher Str. 2a * Zirndorf * Tel / * Fax / *

Message Authentication Codes

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

Overview. Author: Seth Scardefield Updated 11/11/2013

How To Understand The Power Of The Internet

Distance Vector Routing Protocols. Routing Protocols and Concepts Ola Lundh

IPsec Details 1 / 43. IPsec Details

Detecting Flooding Attacks Using Power Divergence

Bit Chat: A Peer-to-Peer Instant Messenger

Solution of Exercise Sheet 5

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Real-Time Detection of Hidden Traffic Patterns

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Project 4: (E)DoS Attacks

About Firewall Protection

Advanced Computer Networks IN Dec 2015

Mac Protocols for Wireless Sensor Networks

Protocol Security Where?

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Testing Network Security Using OPNET

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

FortiGate IPS Guide. Intrusion Prevention System Guide. Version November

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

OCS Training Workshop LAB14. Setup

Cisco Integrated Services Routers Performance Overview

Transcription:

Bitmap Algorithms for Counting Active Flows on High Speed Links Elisa Jasinska jasinska@informatik.hu-berlin.de Seminar: Internet Measurement Technische Universität Berlin - Deutsche Telekom Laboratories

Reference Cristian Estan, George Varghese & Mike Fisk, Bitmap Algorithms for Counting Active Flows on High Speed Links, Internet Measurement Conference 2003 Paper: http://www.imconf.net/imc-2003/papers/ p327-estan.ps Presentation: http://www.cs.ucsd.edu/users/ cestan/papers/flowcountingbitmaps.ppt

Agenda Flow? Counting Flows? Motivation Bitmap Algorithms Number of Flows? Tests and Results Summary

Flow? Constant values in certain fields of packet header Eg. source and destination IP address, port numbers, etc. FlowID Distinction between active and inactive flows

Counting Flows? Portscans Denial of Service attacks (DoS) General measurements Packet scheduling

Motivation Counting flows on high speed links needs: Fast processing Little (and fast) memory usage Bitmaps just set a bit no read-modify-write operation needed!

Bitmap Algorithms Direct Bitmap Virtual Bitmap Multiresolution Bitmap Derived Algorithms

Direct Bitmap Hash function on flowid Set bit accordingly

Direct Bitmap Collisions: Different flowid can result in same bit Estimation error large with fill grade > 50% Bitmap size must grow linearly with the amount of flows more memory usage

Virtual Bitmap Writes only part of the direct bitmap that would be needed for accurate result Reduced memory usage Information about flow amount needed upfront

Multiple Bitmaps Multiple virtual bitmaps with different resolutions Allows us to choose the most accurate one More memory usage! More bit-set operations!

Multiresolution Bitmap One bitmap, different resolutions Less memory usage! Less bit-set operations! Multiple virtual bitmaps can be calculated back through OR operations

Derived Algorithms Adaptive Bitmap, combination of... Large Virtual Bitmap and Small Multiresolution Bitmap Triggered Bitmap, combination of... Small Direct Bitmap and Large Multiresolution Bitmap

Number of Flows? Estimation due to collisions Expected error depends on flow density Important factor: configuration (size of bitmaps, etc.)

Tests and Results Error in # of flows with Virtual Bitmap with different flow densities Memory usage comparison of Snort, probabilistic counting and Triggered Bitmap

Virtual Bitmap Error

Triggered Bitmap Memory Usage Snort Minimum memory usage in an implementation using naive algorithm Probabilistic counting Based on multiresolution bitmap Triggered Bitmap

Triggered Bitmap Memory Usage Interval Snort Calculation Triggered Bitmap 12 sec. 1 968 K 2 474 K 381 K 600 sec. 50 791 K 22 876 K 5 725 K

Summary Use bitmaps to count flows On high speeds With reduced memory usage Only set a one bit No read-modify-write operation needed Less memory usage

Summary Hash function reduces number of results Even less memory usage Fast SRAM can be used Number of flows calculated statistically Error estimations feasible

Thanks for listening! Questions? Seminar: Internet Measurement Technische Universität Berlin - Deutsche Telekom Laboratories