Network Monitoring and Security

1
Network Monitoring and Security

• Nick FeamsterCS 4251Spring 2008

2
Network Measurement
3
Passive vs. Active Measurement

• Passive Measurement Collection of packets, flow
  statistics of traffic that is already flowing on
  the network
• Packet traces
• Flow statistics
• Application-level logs
• Active Measurement Inject probing traffic to
  measure various characteristics
• Traceroute
• Ping
• Application-level probes (e.g., Web downloads)

4
Billing for Internet Usage

• 95th Percentile billing
• Customer network pays for committed information
  rate (CIR)
• Throughput measured every 5 minutes (typically
  with SNMP flow statistics also can be used for
  billing)
• Customer billed based on 95th percentile

5
Passive Traffic Data Measurement

• SNMP byte/packet counts everywhere
• Packet monitoring selected locations
• Flow monitoring typically at edges (if possible)
• Direct computation of the traffic matrix
• Input to denial-of-service attack detection
• Deep Packet Inspection also at edge, where
  possible

6
Simple Network Management Protocol

• Management Information Base (MIB)
• Information store
• Unique variables named by OIDs
• Accessed with SNMP
• Specific MIBs for byte/packet counts (per link)

SNMP
Manager
Agent
ManagedObjects
DB
7
SNMP (Passive)

• Advantage ubiquitous
• Supported on all networking equipment
• Multiple products for polling and analyzing data
• Disadvantages see Lecture 6
• Coarse granularity
• Cannot express complex queries on the data
• Unreliable delivery of the data using UDP
• Utility
• Link utilization (billing)
• Traffic matrix inference

8
Packet-level Monitoring

• Passive monitoring to collect full packet
  contents (or at least headers)
• Advantages lots of detailed information
• Precise tming information
• Information in packet headers
• Disadvantages overhead
• Hard to keep up with high-speed links
• Often requires a separate monitoring device

9
Full Packet Capture (Passive)
Example Georgia Tech OC3Mon

• Rack-mounted PC
• Optical splitter
• Data Acquisition and Generation (DAG) card

Source endace.com
10
What is a flow?

• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• TOS byte (DSCP)
• Input logical interface (ifIndex)

11
Cisco Netflow

• Basic output Flow record
• Most common version is v5
• Current version (9) is being standardized in the
  IETF (template-based)
• More flexible record format
• Much easier to add new flow record types

Collector (PC)
Approximately 1500 bytes 20-50 flow records Sent
more frequently if traffic increases
Collection and Aggregation
12
Flow Record Contents
Basic information about the flow

• Source and Destination, IP address and port
• Packet and byte counts
• Start and end times
• ToS, TCP flags

plus, information related to routing

• Next-hop IP address
• Source and destination AS
• Source and destination prefix

13
Aggregating Packets into Flows
flow 4
flow 1
flow 2
flow 3

• Criteria 1 Set of packets that belong together
• Source/destination IP addresses and port numbers
• Same protocol, ToS bits,
• Same input/output interfaces at a router (if
  known)
• Criteria 2 Packets that are close together in
  time
• Maximum inter-packet spacing (e.g., 15 sec, 30
  sec)
• Example flows 2 and 4 are different flows due to
  time

14
Reducing Measurement Overhead

• Filtering on interface
• destination prefix for a customer
• port number for an application (e.g., 80 for Web)
• Sampling before insertion into flow cache
• Random, deterministic, or hash-based sampling
• 1-out-of-n or stratified based on packet/flow
  size
• Two types packet-level and flow-level
• Aggregation after cache eviction
• packets/flows with same next-hop AS
• packets/flows destined to a particular service

15
Packet Sampling

• Packet sampling before flow creation (Sampled
  Netflow)
• 1-out-of-m sampling of individual packets (e.g.,
  m100)
• Create of flow records over the sampled packets
• Reducing overhead
• Avoid per-packet overhead on (m-1)/m packets
• Avoid creating records for a large number of
  small flows
• Increasing overhead (in some cases)
• May split some long transfers into multiple flow
  records
• due to larger time gaps between successive
  packets

time
not sampled
timeout
two flows
16
Sampling Flow-Level Sampling

• Sampling of flow records evicted from flow cache
• When evicting flows from table or when analyzing
  flows
• Stratified sampling to put weight on heavy
  flows
• Select all long flows and sample the short flows
• Reduces the number of flow records
• Still measures the vast majority of the traffic

sample with 0.1 probability
Flow 1, 40 bytes Flow 2, 15580 bytes Flow 3, 8196
bytes Flow 4, 5350789 bytes Flow 5, 532
bytes Flow 6, 7432 bytes
sample with 100 probability
sample with 10 probability
17
Two Main Approaches

• Packet-level Monitoring
• Keep packet-level statistics
• Examine (and potentially, log) variety of
  packet-level statistics. Essentially, anything
  in the packet.
• Timing
• Flow-level Monitoring
• Monitor packet-by-packet (though sometimes
  sampled)
• Keep aggregate statistics on a flow

18
Packet Capture on High-Speed Links
Example Georgia Tech OC3Mon

• Rack-mounted PC
• Optical splitter
• Data Acquisition and Generation (DAG) card

Source endace.com
19
Characteristics of Packet Capture

• Allows inpsection on every packet on 10G links
• Disadvantages
• Costly
• Requires splitting optical fibers
• Must be able to filter/store data

20
Routing Monitoring and Security
21
S-BGP

• Address-based PKI validate signatures
• Authentication of
• ownership for IP address blocks,
• AS number,
• an AS's identity, and
• a BGP router's identity
• Use existing infrastructure (Internet registries
  etc.)
• Routing origination is digitally signed
• BGP updates are digitally signed
• ??
• Route attestations A new, optional, BGP
  transitive path attribute
• carries digital signatures covering the routing
  information in updates

22
Attestations Update Format
BGP Hdr Withdrawn NLRI, Path Attributes, Dest.
NLRI
Issuer, Cert ID, Validity, Subject, Path, NLRI,
SIG
RouteAttestations
Issuer, Cert ID, Validity, Subject, Path, NLRI,
SIG
Issuer, Cert ID, Validity, Subject, Path, NLRI,
SIG
Owning Org, NLRI, first Hop AS, SIG
Address Attestation

• Address attestation is usually omitted

Question Why are there multiple route
attestations?
23
Attestation Format More Details

• Issuer an AS
• Certificate ID for joining with certificate
  information received from third party
• AS Path
• Validity how long is this routing update good?

24
Reducing Message Overhead

• Problem How to distribute certificates,
  revocation lists, address attestations?
• Note This data is quite redundant across updates
• Solution use servers for these data items
• replicate for redundancy scalability
• locate at NAPs for direct (non-routed) access
• download options
• whole certificate/AA/CRL databases
• queries for specific certificates/AAs/CRLs

25
S-BGP Optimizations

• Handling peak loads (e.g., BGP session reset)
• Extra CPUs
• Deferred verification
• Background verification of alternate routes
• Observation Most updates caused by flapping
• Cache previously validated routes

26
Practical Problems with S-BGP

• Requires Public-Key Infrastructure
• Lots of digital signatures to calculate and
  verify.
• Message overhead
• CPU overhead
• Calculation expense is greatest when topology is
  changing
• Caching can help
• Route aggregation is problematic (maybe thats
  OK)
• Secure route withdrawals when link or node fails?
• Address ownership data out of date
• Deployment

27
What Attacks Does S-BGP Not Prevent?

• Message suppression Failure to advertise route
  withdrawal
• Replay attacks Premature re-advertisement of
  withdrawn routes
• Data plane security Erroneous traffic
  forwarding, bogus traffic generation, etc. (not
  really a BGP issue)