ndpi ndpi: Open-Source High-Speed Deep Packet Inspection Luca Deri

Similar documents
High-Speed Network Traffic Monitoring Using ntopng. Luca

Monitoring Network Traffic using ntopng

High-Speed Network Traffic Monitoring Using ntopng

Getting More Information On Your Network Performance

Monitoring Network Traffic using ntopng

ndpi: Open-Source High-Speed Deep Packet Inspection

Network Troubleshooting Using ntopng Luca Deri

Flow Analysis Versus Packet Analysis. What Should You Choose?

Extended Independent Comparison of Popular Deep Packet Inspection (DPI) Tools for Traffic Classification

An apparatus for P2P classification in Netflow traces

Live Traffic Monitoring with Tstat: Capabilities and Experiences

10 Gbit Hardware Packet Filtering Using Commodity Network Adapters. Luca Deri Joseph Gasparakis

Open Source in Network Administration: the ntop Project

Monitoring high-speed networks using ntop. Luca Deri

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

Introduction to Network Security. Topics

ntopng: Realtime Network Traffic View

EKT 332/4 COMPUTER NETWORK

Firewall Testing Methodology W H I T E P A P E R

Monitoring Mobile Network Traffic (3G/LTE) Luca Deri

COMP416 Lab (1) Wireshark I. 23 September 2013

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

SECURITY & REAL-TIME APPLICATION INSIGHT

DPI and Metadata for Cybersecurity Applications

Trends and Differences in Connection-behavior within Classes of Internet Backbone Traffic

Computer Networks. Secure Systems

Monitoring Mobile Network Traffic (3G/LTE) Luca Deri

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Networks and Security Lab. Network Forensics

Application Latency Monitoring using nprobe

How to Keep Video From Blowing Up Your Network

State of the Art in Peer-to-Peer Performance Testing. European Advanced Networking Test Center

ReadyNAS Remote White Paper. NETGEAR May 2010

Lab VI Capturing and monitoring the network traffic

Towards 100 Gbit Flow-Based Network Monitoring. Luca Deri Alfredo Cardigliano

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Ulogd2, Advanced firewall logging

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

Scalable Extraction, Aggregation, and Response to Network Intelligence

Overview - Using ADAMS With a Firewall

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Overview - Using ADAMS With a Firewall

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

DMZ Network Visibility with Wireshark June 15, 2010

Protocol Security Where?

Application Detection

HTTPS Inspection with Cisco CWS

5 Things You Need to Know About Deep Packet Inspection (DPI)

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Cisco IOS Flexible NetFlow Technology

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Lecture 28: Internet Protocols

Introduction to Wireshark Network Analysis

How To Identify Different Operating Systems From A Set Of Network Flows

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Classifying P2P Activity in Netflow Records: A Case Study on BitTorrent

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Voice Over IP Performance Assurance

Traffic Classification

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Chapter 32 Internet Security

Job Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2

Open Source VoIP Traffic Monitoring

R&S SITGate Next-Generation Firewall Secure access to Internet and cloud services

Self-Adapting Load Balancing for DNS

Datacenter Operating Systems

How To Use The Cisco Ace Module For A Load Balancing System

CSE543 - Computer and Network Security Module: Firewalls

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Going Beyond Deep Packet Inspection (DPI) Software on Intel Architecture

EAGLE EYE IP TAP. 1. Introduction

Application Layer -1- Network Tools

Early Recognition of Encrypted Applications

Managing Latency in IPS Networks

I3: Maximizing Packet Capture Performance. Andrew Brown

Network Traffic Characterization using Energy TF Distributions

CIT 480: Securing Computer Systems. Firewalls

Intrusion Defense Firewall

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

CGHub Client Security Guide Documentation

Network Security Management

Chapter 9. IP Secure

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

REPORT & ENFORCE POLICY

technology standards and protocol for ip telephony solutions

Final for ECE374 05/06/13 Solution!!

Cleaning Encrypted Traffic

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Transcription:

ndpi ndpi: Open-Source High-Speed Deep Packet Inspection Luca Deri

Traffic Classification: an Overview Traffic classification is compulsory to understand the traffic flowing on a network and enhance user experience by tuning specific network parameters. Main classification methods include: TCP/UDP port classification. QoS based classification (DSCP). Statistical Classification. Deep Packet Inspection. 2

Port- and DSCP-based Traffic Classification Port-based Classification In the early day of the Internet, network traffic protocols were identified by protocol and port. Can classify only application protocols operating on well known ports (no rpcbind or portmap). Easy to cheat and thus unreliable (TCP/80!= HTTP). QoS Markers (DSCP) Similar to port classification but based on QoS tags. Usually ignored as it is easy to cheat and forge. 3

Statistical Traffic Classification Classification of IP packets (size, port, flags, IP addresses) and flows (duration, frequency ). Based on rules written manually, or automatically using machine learning (ML) algorithms. ML requires a training set of very good quality, and it is generally computationally intensive. Detection rate can be as good as 95% for cases which were covered by the training set, and poor accuracy for all the other cases. 4

Deep Packet Inspection (DPI) Technique that inspects the packet payload. Computationally intensive with respect to simple packet header analysis. Concerns about privacy and confidentiality of inspected data. Encryption is becoming pervasive, thus challenging DPI techniques. No false positives unless statistical methods or IP range/flow analysis are used by DPI tools. 5

Using DPI in Traffic Monitoring Packet header analysis is no longer enough as it is unreliable and thus useless. Security and network administrators want to know what are the real protocols flowing on a network, this regardless of the port being used. Selective metadata extraction (e.g. HTTP URL or User-Agent) is necessary to perform accurate monitoring and thus this task should be performed by the DPI toolkit without replicating it on monitoring applications. 6

Motivation There are many commercial DPI libraries: NDAbased, expensive (both in price and maintenance), closed source (you need to trust manufactures), non-extensible by end-users (vendor lock-in). Alternatives: Linux layer-7 filter (obsolete), Libprotoident (good but limited to 4 bytes analysis thus not extracting any metadata). In essence we need an open-source DPI system. 7

Welcome to ndpi We decided to develop our own GNU GPL DPI toolkit (based on a unmaintained project named OpenDPI) in order to build an open DPI layer for ntop and third-party applications. Protocols supported exceed 170 and include: P2P (Skype, BitTorrent) Messaging (Viber, Whatsapp, MSN, The Facebook) Multimedia (YouTube, Last.gm, itunes) Conferencing (Webex, CitrixOnLine) Streaming (Zattoo, Icecast, Shoutcast, Netflix) Business (VNC, RDP, Citrix, *SQL) 8

ndpi vs OpenDPI [1/2] Code has been changed to be really end-user extensible by coding a new protocol dissector. Various code sections have been rewritten to make them reentrant (multithread). Major performance improvements, and introduction of hints (e.g. for traffic on TCP/80 try the HTTP dissector first). Added support for SSL certificate decoding, used for detecting specific communications (e.g. classify encrypted Apple traffic: itunes vs. FaceTime). 9

ndpi vs OpenDPI [2/2] Introduction of substring-matching for searching specific words on strings. For instance users can configure at runtime rule where for HTTP traffic matching host names *google.com should be considered as Google (protocol) traffic. Extraction of metadata such as HTTP URL, DNS queried hostnames to be used by user-space applications. Port to non-x86 platforms and embedded platforms. 10

ndpi Internals The library engine is responsible for maintaining flow state (no DPI is performed). Based on flow protocol/port all dissector that can potentially match the flow are applied sequentially starting from the one that most likely match. Each dissector is coded into a different.c file for the sake of modularity and extensibility. There is an extra.c file for IP matching (e.g. identify spotify traffic based on Spotify AS). 11

Traffic Classification Lifecycle ndpi divides the traffic in 5-tuple flows. Based on traffic type (e.g. UDP traffic) dissectors are applied sequentially starting with the one that will most likely match the flow. Each flow maintains the state for non-matching dissectors in order to skip them in future iterations. Analysis lasts until a match is found or after too many attempts (8 packets is the upper-bound in our experience). 12

Evaluating ndpi [1/2] ndpi has been evaluated both in terms of accuracy and performance. The best accuracy we obtained from ndpi (91 points), PACE (82 points), UPC MLA (79 points), and Libprotoident (78 points) * Issues on ndpi are mostly due to dissectors that conservative and thus prefer report a flow as unknown rather than misclassify it. * T. Bujlow, V. Carela-Español, P. Barlet-Ros, Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification, Technical Report, June 2013. 13

Evaluating ndpi [2/2] Bug Fixed 14

ndpi Performance # taskset -c 1./pcapReader -i ~/test.pcap Using ndpi (r7253) pcap file contains IP packets: 3000543 of 3295278 packets IP bytes:1043493248(avg pkt size 316 bytes) Unique flows: 500 ndpi throughput: 3.42 M pps / 8.85 Gb/sec With two cores it is possible to analyse a full 10 Gbit link on a Intel i7-860 both using traffic traces or capturing live on top of PF_RING (home-grown packet processing framework). 15

ndpi In Real Life ndpi is used by several projects on the Internet including: Network Forensics (Xplico). Linux-kernel packet filtering (ndpi-netfilter). ntopng 16

Final Remarks We have presented ndpi an open source DPI toolkit able to detect many popular Internet protocols and scale at 10 Gbit on commodity hardware platforms. Its open design make it suitable for using it both in open-source and security applications where code inspection is compulsory. Code Availability (GNU LGPLv3) https://svn.ntop.org/svn/ntop/trunk/ndpi/ 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information