Network Monitoring and Security Nick Feamster CS 4251

Network Monitoring and Security Nick Feamster CS 4251 Spring 2008

Network Measurement

Passive vs. Active Measurement • Passive Measurement: Collection of packets, flow statistics of traffic that is already flowing on the network – Packet traces – Flow statistics – Application-level logs • Active Measurement: Inject “probing” traffic to measure various characteristics – Traceroute – Ping – Application-level probes (e. g. , Web downloads)

Billing for Internet Usage • 95 th Percentile billing – Customer network pays for “committed information rate” (CIR) – Throughput measured every 5 minutes (typically with SNMP; flow statistics also can be used for billing) – Customer billed based on 95 th percentile

Passive Traffic Data Measurement • SNMP byte/packet counts: everywhere • Packet monitoring: selected locations • Flow monitoring: typically at edges (if possible) – Direct computation of the traffic matrix – Input to denial-of-service attack detection • Deep Packet Inspection: also at edge, where possible

Simple Network Management Protocol • Management Information Base (MIB) – Information store – Unique variables named by OIDs – Accessed with SNMP Manager • Specific MIBs for byte/packet counts (per link) DB Agent Managed Objects

SNMP (Passive) • Advantage: ubiquitous – Supported on all networking equipment – Multiple products for polling and analyzing data • Disadvantages: see Lecture 6 – Coarse granularity – Cannot express complex queries on the data – Unreliable delivery of the data using UDP • Utility – Link utilization (billing) – Traffic matrix inference

Packet-level Monitoring • Passive monitoring to collect full packet contents (or at least headers) • Advantages: lots of detailed information – Precise tming information – Information in packet headers • Disadvantages: overhead – Hard to keep up with high-speed links – Often requires a separate monitoring device

Full Packet Capture (Passive) Example: Georgia Tech OC 3 Mon • Rack-mounted PC • Optical splitter • Data Acquisition and Generation (DAG) card Source: endace. com

What is a flow? • • Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (if. Index)

Cisco Netflow • Basic output: “Flow record” – Most common version is v 5 • Current version (9) is being standardized in the IETF (template-based) – More flexible record format – Much easier to add new flow record types Core Network Collection and Aggregation Approximately 1500 bytes 20 -50 flow records Sent more frequently if traffic increases Collector (PC)

Flow Record Contents Basic information about the flow… • • Source and Destination, IP address and port Packet and byte counts Start and end times To. S, TCP flags …plus, information related to routing • Next-hop IP address • Source and destination AS • Source and destination prefix

Aggregating Packets into Flows flow 1 flow 2 flow 3 • Criteria 1: Set of packets that “belong together” – Source/destination IP addresses and port numbers – Same protocol, To. S bits, … – Same input/output interfaces at a router (if known) • Criteria 2: Packets that are “close” together in time – Maximum inter-packet spacing (e. g. , 15 sec, 30 sec) – Example: flows 2 and 4 are different flows due to time flow 4

Reducing Measurement Overhead • Filtering: on interface – destination prefix for a customer – port number for an application (e. g. , 80 for Web) • Sampling: before insertion into flow cache – Random, deterministic, or hash-based sampling – 1 -out-of-n or stratified based on packet/flow size – Two types: packet-level and flow-level • Aggregation: after cache eviction – packets/flows with same next-hop AS – packets/flows destined to a particular service

Packet Sampling • Packet sampling before flow creation (Sampled Netflow) – 1 -out-of-m sampling of individual packets (e. g. , m=100) – Create of flow records over the sampled packets • Reducing overhead – Avoid per-packet overhead on (m-1)/m packets – Avoid creating records for a large number of small flows • Increasing overhead (in some cases) – May split some long transfers into multiple flow records – … due to larger time gaps between successive packets time not sampled timeout two flows

Sampling: Flow-Level Sampling • Sampling of flow records evicted from flow cache – When evicting flows from table or when analyzing flows • Stratified sampling to put weight on “heavy” flows – Select all long flows and sample the short flows • Reduces the number of flow records – Still measures the vast majority of the traffic Flow Flow 1, 2, 3, 4, 5, 6, 40 bytes 15580 bytes 8196 bytes 5350789 bytes 532 bytes 7432 bytes sample with 0. 1% probability sample with 100% probability sample with 10% probability

Two Main Approaches • Packet-level Monitoring – Keep packet-level statistics – Examine (and potentially, log) variety of packet-level statistics. Essentially, anything in the packet. – Timing • Flow-level Monitoring – Monitor packet-by-packet (though sometimes sampled) – Keep aggregate statistics on a flow

Packet Capture on High-Speed Links Example: Georgia Tech “OC 3 Mon” • Rack-mounted PC • Optical splitter • Data Acquisition and Generation (DAG) card Source: endace. com

Characteristics of Packet Capture • Allows inpsection on every packet on 10 G links • Disadvantages – Costly – Requires splitting optical fibers – Must be able to filter/store data

Routing: Monitoring and Security

S-BGP • Address-based PKI: validate signatures – Authentication of • ownership for IP address blocks, • AS number, • an AS's identity, and • a BGP router's identity – Use existing infrastructure (Internet registries etc. ) – Routing origination is digitally signed – BGP updates are digitally signed �� • Route attestations: A new, optional, BGP transitive path attribute – carries digital signatures covering the routing information in updates

Attestations: Update Format BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG Route Attestations Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG Owning Org, NLRI, first Hop AS, SIG Address Attestation • Address attestation is usually omitted Question: Why are there multiple route attestations?

Attestation Format: More Details • Issuer: an AS • Certificate ID: for joining with certificate information received from third party • AS Path • Validity: how long is this routing update good?

Reducing Message Overhead • Problem: How to distribute certificates, revocation lists, address attestations? – Note: This data is quite redundant across updates • Solution: use servers for these data items – replicate for redundancy & scalability – locate at NAPs for direct (non-routed) access – download options: • whole certificate/AA/CRL databases • queries for specific certificates/AAs/CRLs

S-BGP Optimizations • Handling peak loads (e. g. , BGP session reset) – Extra CPUs – Deferred verification – Background verification of alternate routes • Observation: Most updates caused by “flapping” – Cache previously validated routes

Practical Problems with S-BGP • Requires Public-Key Infrastructure • Lots of digital signatures to calculate and verify. – Message overhead – CPU overhead • Calculation expense is greatest when topology is changing – Caching can help • Route aggregation is problematic (maybe that’s OK) • Secure route withdrawals when link or node fails? • Address ownership data out of date • Deployment

What Attacks Does S-BGP Not Prevent? • Message suppression: Failure to advertise route withdrawal • Replay attacks: Premature re-advertisement of withdrawn routes • Data plane security: Erroneous traffic forwarding, bogus traffic generation, etc. (not really a BGP issue)