P2P Filesharing Population Tracking Based on Network Flow Data

Similar documents
P2P File-sharing Traffic Identification Method Validation and Verification

Working With Flow Data in an Academic Environment in the DDoSVax Project at ETH Zuerich

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

P2P Filesharing Systems: Real World NetFlow Traffic Characterization

Flow Analysis Versus Packet Analysis. What Should You Choose?

Three short case studies

How To Analyse The Edonkey 2000 File Sharing Network

Peer-to-Peer Networks Status th Week

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Peer-to-Peer Botnet Detection Using NetFlow Master Thesis

Managing Virtual Servers

Cisco IOS Flexible NetFlow Technology

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Exam 1 Review Questions

Using UDP Packets to Detect P2P File Sharing

How To Monitor A Worm Outbreak In A Backbone Network In Real Time

Internet2 NetFlow Weekly Reports

State of the Art in Peer-to-Peer Performance Testing. European Advanced Networking Test Center

Bandwidth Management for Peer-to-Peer Applications

Inside the Storm: Protocols and Encryption of the Storm Botnet

DDoS Attack Detection Based on Netflow Logs

How To Write A Privacy Policy For Annet Network And Exchange Point (Nnet) Network (Netnet)

Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

An apparatus for P2P classification in Netflow traces

Configuring Static and Dynamic NAT Simultaneously

Peer-to-Peer Networks Organization and Introduction 1st Week

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

Peer-to-peer filetransfer protocols and IPv6. János Mohácsi NIIF/HUNGARNET TF-NGN meeting, 1/Oct/2004

A Network Monitoring System with a Peer-to-Peer Architecture

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Performance Monitoring at Minimal Capex

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Network Management & Monitoring

Architecture de Réseaux et Dimensionnement du Trafic

Sample Configuration Using the ip nat outside source static

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

The Challenges of Stopping Illegal Peer-to-Peer File Sharing

Information Searching Methods In P2P file-sharing systems

The Role and uses of Peer-to-Peer in file-sharing. Computer Communication & Distributed Systems EDA 390

P2P: centralized directory (Napster s Approach)

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Network Security TCP/IP Refresher

WhatsUpGold. v15.0. Flow Monitor User Guide

Netflow Overview. PacNOG 6 Nadi, Fiji

DDoS Vulnerability Analysis of Bittorrent Protocol

NSC E

TECHNICAL CHALLENGES OF VoIP BYPASS

The Index Poisoning Attack in P2P File Sharing Systems

Mini-Challenge 3. Data Descriptions for Week 1

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Understanding Slow Start

Firewall Troubleshooting

Enabling NetFlow on Virtual Switches ESX Server 3.5

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Computer Networks and the Internet

Lecture 17 - Network Security

Integrated Traffic Monitoring

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

N6Lookup( title ) Client

Passively Detecting Remote Connectivity Issues Using Flow Accounting. 2nd EMANICS Workshop on Netflow/IPFIX usage in network management

Flow Monitor for WhatsUp Gold v16.2 User Guide

Sample Configuration Using the ip nat outside source list C

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

How To Monitor Traffic On A P2P Network On A Pc Or Macbook Or Ipad (For Free) On A Microsoft Webmail (For A Pb) On Pc Or Ipa (For Cheap) On An Ipa Or

Lab Characterizing Network Applications

Skirting ISP Traffic Shaping in P2P Systems, and Countermeasures

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Top-Down Network Design

An Introduction to VoIP Protocols

Multicast vs. P2P for content distribution

A Fast Worm Scan Detection Tool for VPN Congestion Avoidance

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Flow Based Traffic Analysis

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Bit Chat: A Peer-to-Peer Instant Messenger

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Guidance Regarding Skype and Other P2P VoIP Solutions

Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures

Traffic monitoring with sflow and ProCurve Manager Plus

Flow Monitor for WhatsUp Gold v16.1 User Guide

Classifying P2P Activities in Netflow Records: A Case Study (BitTorrnet & Skype) Ahmed Bashir

Qcast : IP Multicast Traffic Monitoring System with IPFIX/PSAMP

NetFlow/IPFIX Various Thoughts

Developing P2P Protocols across NAT

HTGR- Netflow. or, how to know what your network really did without going broke

PEER-TO-PEER NETWORK

How To Use A Phone Over Ip (Phyto) For A Phone Call

Beyond Monitoring Root-Cause Analysis

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Signature-aware Traffic Monitoring with IPFIX 1

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

Application Latency Monitoring using nprobe

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Transcription:

P2P Filesharing Population Tracking Based on Network Flow Data Arno Wagner, Thomas Dübendorfer, Lukas Hämmerle, Bernhard Plattner Contact: arno@wagner.name Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich)

Outline 1. Motivation 2. Setting 3. The PeerTracker 4. Validation by Polling 5. Comments on Legal Aspects 6. Conclusion Arno Wagner, ETH Zurich, ICISP 2006 p.1

Contributors Philipp Jardas, P2P Filesharing Systems: Real World NetFlow Traffic Characterization, Barchelor Thesis, ETH Zürich, 2004 Lukas Hämmerle, P2P Population Tracking and Traffic Characterization of Current P2P file-sharing Systems, Master Thesis, ETH Zürich, 2004 Roger Kaspar, P2P File-sharing Traffic Identification Method Validation and Verification, Semester Thesis, ETH Zürich, 2005 PDFs available from http://www.tik.ee.ethz.ch/~ddosvax/sada/ Arno Wagner, ETH Zurich, ICISP 2006 p.2

Motivation P2P traffic forms a large and dynamic part of the overall network traffic Identification of P2P traffic allows P2P anomaly detection Identification of P2P traffic allows better analysis of other traffic Arno Wagner, ETH Zurich, ICISP 2006 p.3

The DDoSVax Project http://www.tik.ee.ethz.ch/~ddosvax/ Collaboration between SWITCH (www.switch.ch, AS559) and ETH Zurich (www.ethz.ch) Aim (long-term): Near real-time analysis and countermeasures for DDoS-Attacks and Internet Worms Start: Begin of 2003 Funded by SWITCH and the Swiss National Science Foundation Arno Wagner, ETH Zurich, ICISP 2006 p.4

DDoSVax Data Source: SWITCH The Swiss Academic And Research Network.ch Registrar Links most Swiss Universities and CERN Carried around 5% of all Swiss Internet traffic in 2003 Around 60.000.000 flows/hour Around 300GB traffic/hour Flow archive (unsampled) since May 2003 Arno Wagner, ETH Zurich, ICISP 2006 p.5

What is a Flow? In the DDoSVax-Project: CISCO NetFlow v5. Basically unidirectional aggregated header information: Source and destination IP Protocol Source and destination port (TCP and UDP) Packet and byte count Start and end time stamp, 1ms accuracy Some routing information No payload information whatsoever Arno Wagner, ETH Zurich, ICISP 2006 p.6

P2P Networks Considered Signalling connection File transfer connection BitTorrent Azureus... BitTorrent Kademlia emule Client Server/ Supernode/ Tracker edonkey FastTrack/iMesh mldonkey Gnutella Overnet KaZaA imesh Grokster... LimeWire Bearshare Shareaza... Overnet edonkey2000... Arno Wagner, ETH Zurich, ICISP 2006 p.7

PeerTracker Algorithm Idea: Traverse P2P network from seeds Seeds: Seeds are peers using default ports (TCP and UDP) Keep a pool of peers for each network Add hosts that communicate with the pool Remove hosts that are idle Arno Wagner, ETH Zurich, ICISP 2006 p.8

Default Port Usage P2P System Default port usage (TCP) BitTorrent 70.0 % FastTrack 8.3 % Gnutella 58.6 % edonkey 55.6 % Overnet 83.9 % Kademlia 66.6 % From 8 day PeerTracker measurement end of 2004 Arno Wagner, ETH Zurich, ICISP 2006 p.9

PeerTracker: Hosts State Diagram Arno Wagner, ETH Zurich, ICISP 2006 p.10

Some PeerTracker Details Peers in the SWITCH network form core External hosts only identified if they contact core Different ageing for core and external hosts Dead core peers are still contacted from external peers Arno Wagner, ETH Zurich, ICISP 2006 p.11

Validation The PeerTracker does not look at Payloads Large error possible Validation Approach: Run PeerTracker Poll found peers immediately Compare polling and tracker results Arno Wagner, ETH Zurich, ICISP 2006 p.12

Peer Polling Methods P2P System Polling method FastTrack Request: GET /.files HTTP/1.0 Response: HTTP 1.0 403 Forbidden <number 1> <number 2> or HTTP/1.0 404 Not Found/nX-Kazaa-<username> Gnutella Request: GNUTELLA CONNECT/<version> Response: Gnutella <status> edonkey, Request: Binary: 0xE3 <length> 0x01 0x10 <MD4 hash> <ID> <port> Kademlia, Response: Binary: 0xE3... Overnet emule Same as edonkey, but replace initial byte with 0xC5. BitTorrent Unsolved. Seems to need knowledge of a shared file on the target peer. Arno Wagner, ETH Zurich, ICISP 2006 p.13

Polling Results P2P System TCP Connect P2P-client found edonkey, Kademlia, 50% 41% Overnet Gnutella 53% 30% FastTrack 51% 41% Total 51% 38% Table 1: Positive polling answers Arno Wagner, ETH Zurich, ICISP 2006 p.14

Polling Remarks Delay to polling < 10 Minutes About 50% unreachable via TCP and port seen by PeerTracker likely behind NAT Other errors: Peer variation (esp. Gnutella), classification into wrong network, tracker error BitTorrent not really pollable Arno Wagner, ETH Zurich, ICISP 2006 p.15

Legal Aspects (Warning: I am no legal expert) Flow data likely not subject to privacy laws (unless attempts to identify people are made) PeerTracker does not identify content shared output unproblematic, no action needs to be taken Identification of heavy hitters unproblematic, since payloads (shared contents) not identified Polling is unproblematic, since similar to running a peer (some users get nervous though...) Arno Wagner, ETH Zurich, ICISP 2006 p.16

PeerTracker for Law Enforcement Situation for CH! Massive private file-sharing is done Law enforcement is not really interested in copyright infringement Illegal contents (child pornography and the like) can be done far better with modified P2P clients Not really suitable Arno Wagner, ETH Zurich, ICISP 2006 p.17

Conclusion, Remarks Peer identification feasible with flow data Nodes with little traffic problematic BitTorrent problematic P2P filesharing still evolves PeerTracker code is available under GPL In productive use at ETH Zurich since 2005 Arno Wagner, ETH Zurich, ICISP 2006 p.18

Thank You! Arno Wagner, ETH Zurich, ICISP 2006 p.19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information