Software-Defined Traffic Measurement with OpenSketch

Similar documents
Software Defined Traffic Measurement with OpenSketch

FlowRadar: A Better NetFlow for Data Centers

Bitmap Algorithms for Counting Active Flows on High Speed Links. Elisa Jasinska

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

Counting Problems in Flash Storage Design

Indexing Full Packet Capture Data With Flow

Comprehensive IP Traffic Monitoring with FTAS System

Are Second Generation Firewalls Good for Industrial Control Systems?

Detection of Distributed Denial of Service Attack with Hadoop on Live Network

Enabling Open-Source High Speed Network Monitoring on NetFPGA

A Fuzzy Logic-Based Information Security Management for Software-Defined Networks

Cisco IOS Flexible NetFlow Technology

On the effect of forwarding table size on SDN network utilization

Network Security through Software Defined Networking: a Survey

Hadoop Technology for Flow Analysis of the Internet Traffic

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Exam 1 Review Questions

The State of OpenFlow: Advice for Those Considering SDN. Steve Wallace Executive Director, InCNTRE SDN Lab Indiana University

Ranch Networks for Hosted Data Centers

Network Monitoring and Traffic CSTNET, CNIC

Principle and Implementation of. Protocol Oblivious Forwarding

An apparatus for P2P classification in Netflow traces

Internet Management and Measurements Measurements

Network Tomography and Internet Traffic Matrices

Software Defined Networking (SDN) - Open Flow

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

An Efficient Algorithm for Measuring Medium- to Large-sized Flows in Network Traffic

How To Understand The Power Of The Internet

SDN Programming Languages. Programming SDNs!

Packet Flow Analysis and Congestion Control of Big Data by Hadoop

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

The Internet: A Remarkable Story. Inside the Net: A Different Story. Networks are Hard to Manage. Software Defined Networking Concepts

NetFlow probe on NetFPGA

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Open Flow Controller and Switch Datasheet

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

ON THE IMPLEMENTATION OF ADAPTIVE FLOW MEASUREMENT IN THE SDN-ENABLED NETWORK: A PROTOTYPE

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

DPtech ADX Application Delivery Platform Series

Scalable NetFlow Analysis with Hadoop Yeonhee Lee and Youngseok Lee

SDN_CDN Documentation

Limitations of Current Networking Architecture OpenFlow Architecture

Big Data & Scripting Part II Streaming Algorithms

Internet Packets. Forwarding Datagrams

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Experimentation driven traffic monitoring and engineering research

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Applications of Software-Defined Networking (SDN) in Power System Communication Infrastructure: Benefits and Challenges

General system requirements

Getting traffic statistics from network devices in an SDN environment using OpenFlow

Configurable String Matching Hardware for Speeding up Intrusion Detection. Monther Aldwairi*, Thomas Conte, Paul Franzon

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications

Leveraging Advanced Load Sharing for Scaling Capacity to 100 Gbps and Beyond

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

Programmable Networking with Open vswitch

Cisco Network Foundation Protection Overview

OpenFlow Based Load Balancing

and reporting Slavko Gajin

Software Defined Networks

Autonomous NetFlow Probe

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Flow Based Traffic Analysis

IMPLEMENTATION AND EVALUATION OF THE MOBILITYFIRST PROTOCOL STACK ON SOFTWARE-DEFINED NETWORK PLATFORMS

Portland: how to use the topology feature of the datacenter network to scale routing and forwarding

Securing Local Area Network with OpenFlow

How to launch and defend against a DDoS

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Network Virtualization Based on Flows

Traffic Monitoring using sflow

BROADCOM SDN SOLUTIONS OF-DPA (OPENFLOW DATA PLANE ABSTRACTION) SOFTWARE

Fiber Channel Over Ethernet (FCoE)

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Detecting Network Anomalies. Anant Shah

Network Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery

Per-Packet Load Balancing

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Overview: Load Balancing with the MNLB Feature Set for LocalDirector

Security Toolsets for ISP Defense

Scalable and Reliable control and Management for SDN-based Large-scale Networks. CJK CFI

Service Description DDoS Mitigation Service

A low-cost, connection aware, load-balancing solution for distributing Gigabit Ethernet traffic between two intrusion detection systems

Transcription:

Software-Defined Traffic Measurement with OpenSketch Lavanya Jose Stanford University Joint work with Minlan Yu and Rui Miao at USC 1 1

Management is Control + Measurement control - Access Control - Routing measure - DDoS - Flow Size Distribution 2 2

Questions we want to ask 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan? 4. Is someone being DDoS-ed? 5. Who s getting traffic from blacklisted IPs? 6. How many people downloaded files from 10.0.2.1? 3 3

Switches are great at counting per flow bytes and packets NetFlow and sflow sample packets NetFlow maintains per flow byte and packet counts Can find count of a particular flow, prefix or counts of heavy flows 4 4

Problem: NetFlow counts can t answer my questions Is someone doing a port scan? NetFlow samples packets from heavy flows. Missed packets from small port scanners. - Increase sampling rate --> inefficient 5 5

Streaming algorithms + Process efficiently at line rate + Accurate answers - But each answers a specific question 6 6

What measurement architecture can answer all my questions? 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan? 4. Is someone being DDoS-ed? 5. Who s getting traffic from blacklisted IPs? 6. How many people downloaded files from 10.0.2.1? 7 7

SDN Model: Find Building Blocks 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan?...??? 8 8

Sketches as building blocks Sketch Data structure Support approx. computing some function of data Much smaller than actual data Streaming, small per-item processing cost Provable space-accuracy tradeoffs 9 9

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses Packet h1 h2 h3 3 2 1 23 0 4 22 4 9 3 2 1 2 3 0 4 22 5 process (Cormode 2005) 10 10

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses Source IP address : 23.43.12.1 h1 h2 h3 3 2 1 23 0 4 22 4 9 3 2 1 2 3 0 4 22 5 process (Cormode 2005) 10 10

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses Source IP address : 23.43.12.1 h1 h2 h3 3 2 1 23 0 4 22 4 9 3 2 1 2 3 0 4 22 5 process (Cormode 2005) 10 10

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses Source IP address : 23.43.12.1 h1 h2 h3 3 2 1 23 24 0 4 22 4 9 3 2 1 2 3 0 4 22 5 process (Cormode 2005) 10 10

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses Source IP address : 23.43.12.1 h1 h2 h3 3 2 1 23 24 0 4 22 23 4 9 3 2 1 2 3 0 4 22 23 5 process (Cormode 2005) 10 10

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses query h1 h2 h3 3 2 1 24 0 4 23 4 9 3 2 1 2 3 0 4 23 5 (Cormode 2005) 11 11

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses # packets from h1 3 2 1 24 0 4 23.43.12.1? 23 4 9 3 2 1 h2 query h3 2 3 0 4 23 5 (Cormode 2005) 11 11

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses # packets from h1 3 2 1 24 0 4 23.43.12.1? 23 4 9 3 2 1 h2 query h3 estimate 2 3 0 4 23 5 24 23 23 pick min. (Cormode 2005) 11 11

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses # packets from h1 3 2 1 24 0 4 23.43.12.1? 23 4 9 3 2 1 h2 query h3 estimate 2 3 0 4 23 5 23 pick min. (Cormode 2005) 11 11

Sketches as building blocks e.g., Count Min sketch to store counts of frequent source IP addresses + Provable spaceaccuracy tradeoffs (Cormode 2005) 23 estimate pick min. 12 12

Sketches as building blocks Counting, storing statistics Picking packets Identifying to measure heavy keys (Reversible Sketch: Schweller 2004) 13 13

...answer many questions 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan? 4. Is someone being DDoS-ed? 5. Who s getting traffic from blacklisted IPs? 6. How many people downloaded files from 10.0.2.1? (Reversible Sketch: Schweller 2004) Counting, storing statistics Identifying heavy keys 14 14

But each sketch estimates only one function - frequency count - cardinality - set membership - heavy keys process process process process query query query query estimate 15 15

3-stage pipeline - frequency count - cardinality - set membership - heavy keys process process process process query query query query estimate 16 16

3-stage pipeline - frequency count - cardinality - set membership - heavy keys query query query query estimate Hash Classify Count 16 16

3-stage pipeline pick fields to hash hash values header fields acket compute counter addresses Hash Classify Count header fields header fields pick field to match hash values 17 17

3-stage pipeline - frequency count - cardinality - set membership - heavy keys query query query query estimate Hash Classify Count 18 18

3-stage pipeline Identifying heavy keys Counting, storing statistics Picking packets to measure Hash Classify Count 18 18

3-stage pipeline 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan? Identifying heavy keys Counting, storing statistics Picking packets to measure Hash Classify Count 18 18

OpenSketch Measurement Framework Controller 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is.. Identifying heavy keys Counting, storing statistics Picking packets to measure ata Plane Hash Classify Count 19 19

OpenSketch Measurement Framework Controller 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is.. Measurement Identifying Counting, Library heavy keys storing Picking packets to measure statistics ata Plane Hash Classify Count 19 19

OpenSketch Measurement Framework Controller 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is.. Measurement Programs Measurement Identifying Counting, Library heavy keys storing Picking packets to measure statistics ata Plane Hash Classify Count 19 19

OpenSketch Measurement Framework Controller 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is.. Measurement Programs Measurement Identifying Counting, Library heavy keys storing Picking packets to measure statistics ata Plane #, field, range (match, action) # counters, size, update type, addr. calculation Hash Classify Count 19 19

OpenSketch Measurement Framework Controller 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is.. Measurement Programs Measurement Identifying Counting, Library heavy keys storing Picking packets to measure statistics ata Plane Hash Classify Count 19 19

Details Implementing sketches with the Pipeline Configuring the Pipeline Evaluation and NetFPGA prototype 20 20

Count Min Sketch with the Pipeline Counting, storing statistics Source IP address : 23.43.12.1 to store counts of frequent source IP addresses h1 h2 3 2 1 23 24 0 4 22 23 4 9 3 2 1 h3 2 3 0 4 22 23 5 process Hash Count 21 21

Bitmap Sketch with the Pipeline Counting, storing statistics to store number of different destination port numbers Packet h 0 0 1 0 0 1 0 0 1 0 process Hash Count 22 22

Bitmap Sketch with the Pipeline Counting, storing statistics to store number of different destination port numbers Destination port number : 5596 h 0 0 1 0 0 1 0 0 1 0 process Hash Count 22 22

Bitmap Sketch with the Pipeline Counting, storing statistics to store number of different destination port numbers Destination port number : 5596 h 10 0 1 0 0 1 0 0 1 0 process Hash Count 22 22

Bitmap Sketch with the Pipeline Counting, storing statistics to store number of different destination port numbers # different destination port numbers? 1 0 1 0 0 1 0 0 1 0 query (Whang 1990) 23 23

Bitmap Sketch with the Pipeline Counting, storing statistics to store number of different destination port numbers # different destination port numbers? 1 0 1 0 0 1 0 0 1 0 query estimate 6/10 estimate N = -10 ln(6/10)= 5 (Whang 1990) Six counters out of ten are 0. 23 23

Other Sketches K-ary Sketch for heavy changes Bloom Filter Sketch to check set membership PCSA sketch to count distinct values (Schweller 2004; Goel 2010; Flajolet 1985) 24 24

Efficient implementation of 3-stage pipeline Hash Classify Count hash in parallel TCAM rules cheap fast memory MBs of SRAM 25 25

Similar functions, diverse configurations Hash Classify Count?? hash functions?? TCAM entries for classify rules?? MBs of SRAM for tables of counters 26 26

Similar functions, diverse configurations Hash 4-8 simple hash functions per question - Count Min: 3 - Bloom Filters: 7-8 - Fixed size reversible sketch: 5 - Can share hash functions 27 27

Similar functions, diverse configurations Classify 30-40 TCAM entries per question maximum - Match a prefix/ value: 1 rule - Match a set of values: Bloom Filters 28 28

Similar functions, diverse configurations Count From simulation and worst case bounds for different tasks up to 8MB SRAM 29 29

relative error (%) Similar functions, diverse configurations Count Change detection up to 8MB SRAM 2MB for 1.7% err SRAM (MB) 29 29

relative error (%) Similar functions, diverse configurations Count Change detection up to 8MB SRAM 7.5MB for 0.5% err SRAM (MB) 29 29

Measurement tasks 1. Who s sending a lot to 10.0.2.0/16? (Heavy Hitters) 2. How are flow sizes distributed? 3. Is someone doing a port scan? 4. Is someone being DDoS-ed? 5. Who s getting traffic from blacklisted IPs? 6. How many people downloaded files from 10.0.2.1? (Heavy Hitters: Cormode 2005; Flow Size Distribution: Kumar 2004; Change detection: Schweller 2004; DDoS detection: Venkataraman 2005) 30 30

More efficient than NetFlow (Heavy Hitters) False pos. (%) 14 12 10 8 6 4 2 0 NetFlow-pos OpenSketch-pos Efficient- needs 1/4th as much memory as NetFlow for 4% f.p. 200 400 600 800 1000 1200 Switch memory size (KB) 31 31

More efficient than NetFlow (Heavy Hitters) Accurate- with 600KB, OpenSketch has less than 0.05% f.p. NetFlow has around 3% False pos. (%) 14 12 10 8 6 4 2 0 NetFlow-pos OpenSketch-pos 200 400 600 800 1000 1200 Switch memory size (KB) 31 31

OpenSketch NetFPGA Prototype 3-stage meas. pipeline parallel to forwarding Full throughput 1Gbps @ 4 ports Measurement pipeline takes fewer cycles than forwarding 32 32

Conclusion Current switches good for flow statistics But they don t answer basic measurement questions Like identify heavy hitters, detect DDoS attacks, port scans, traffic from blacklisted IP address etc. 33 33

Takeaway Hash, classify and count pipeline in the Data Plane And sketch based building blocks in the Control Plane Make measurement in switches efficient and easy 34 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information