building a better netflow
play

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian - PowerPoint PPT Presentation

Oct 15, 2023 •240 likes •510 views

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

  1. Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 – Aug 4, 2004 – IPFIX WG UCSD CSE

  2. Disclaimers • "NetFlow" used generically, no particular vendor or implementation implied • Proposed changes are metering related, but can affect ipfix protocol design • Not meant to be the definitive solution, but to help encourage discussion and improvements COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  3. Sampling pros and cons • Reduces processor load • Results less accurate • Cannot estimate non-TCP • Reduces memory usage flow counts • Reduces bandwidth for reporting • Finding the sampling rate that balances the pros and cons is hard • The best choice depends on traffic mix � COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  4. Fixing NetFlow NetFlow problem How we solve it Memory and bandwidth usage strongly depend on traffic mix Adapting sampling rate (part 2) Network operator must set sampling rate Mismatch of flow termination Measurement bins (part 1) heuristics and analysis Cannot estimate number of non-TCP Sampling flows (part 3) flows COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  5. Operating with time bins • Both operators and researchers usually prefer working with fixed time bins • Use fixed size time bins (say 1 minute) • Terminate all flow records at the end of the bin (but don’t report immediately) • Could use different sampling rates for each bin, including decreasing sampling within a bin as needed • Simplifies analysis and reduces error • Time bins allow reconstruction of flow timeouts COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  6. Analysis uses time bins anyway IPMON FlowScan Application Breakdow n Category Packets (% ) Bytes (% ) Flows (% ) Web 54.35 61.48 47.33 File Sharing 3.35 2.43 3.74 FTP 0.52 0.54 0.07 Email 4.67 4.06 3.24 Streaming 7.26 13.07 1.60 DNS 6.13 1.16 27.26 Games 0.06 0.01 0.03 Other TCP 21.03 15.86 6.05 Other UDP 0.78 0.48 0.84 Not TCP/ UDP 1.86 0.90 9.84 Site: San Jose (sj-20) Date: February 5th, 2004 COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  7. Relationship to IPFIX • draft-ipfix-protocol-3, section 4: – 4.1: seems to require timeout based flows, allows for expiry based on resource constraints, but it is unclear on permissibility of using time bins – 4.2: allows for export of long-lasting flows on schedule determined by exporting process, but is unclear about what that entails • draft-ipfix-protocol-3, section 8: – would it require putting the same start/end time (or bin #) in all of the Flow Records, or is there a way to specify the bin efficiently for an entire group of records COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  8. Fixing NetFlow NetFlow problem How we solve it Memory and bandwidth usage strongly depend on traffic mix Adapting sampling rate (part 2) Network operator must set sampling rate Mismatch of flow termination Measurement bins (part 1) heuristics and analysis Cannot estimate number of non-TCP Sampling flows (part 3) flows COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  9. Adaptive NetFlow • Choose the sampling rate based on traffic – Use a high sampling rate when traffic allows – Keeping counters meaningful as sampling rate varies – Ensuring we never overload CPU – Ensuring we never run out of memory COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  10. Adapting sampling rate • If multiple sampling rates in effect while flow active, byte and packet counters meaningless • Decreasing sampling rate – pretend to throw away sampled packets • Increasing rate – not possible, since information discarded. • Start each time bin with aggressive sampling COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  11. Limiting CPU usage • Renormalization in parallel with operation • Efficient renormalization – for most records only simple integer arithmetic, no random number generation – Updating 1 entry 3.4 µ s – Renormalizing 1 entry 1.5 µ s • Vendor configures initial sampling rate high enough for CPU to keep up with minimum sized packets COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  12. Memory Usage: What happens under DoS? COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  13. Rate adaptation and memory usage • Trigger renormalization whenever the number of entries reaches a fixed threshold • Must choose new sampling rate so that enough records discarded by renormalization – Use partial histogram of packet counters • Actual memory at router must exceed the desired number of records per bin M to allow renormalization and buffering of old records COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  14. Main tuning knob: # of records M • Controlled resource usage • User configures number of desired records to be exported • More meaningful than sampling rate – Relative error in estimating an aggregate that is a certain fraction of the traffic depends on M • Can produce reports of various sizes and send them with different reliability levels – Dropping random records is worse than generating fewer records by using lower sampling rate COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  15. Relationship to IPFIX • SCTP-PR: use different priority levels for different report sizes • Reliable transport in general: may be able to share memory for flows from previous time bin with memory needed for retransmission • draft-ipfix-protocol-3, section 8: – The sampling rate can vary frequently, should it be in the Flow Record or an Option Record? – If exporting multiple reports at different effective sampling rates, the same flow may be exported more than once, how should this be handled? COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  16. Fixing NetFlow NetFlow problem How we solve it Memory and bandwidth usage strongly depend on traffic mix Adapting sampling rate (part 2) Network operator must set sampling rate Mismatch of flow termination Measurement bins (part 1) heuristics and analysis Cannot estimate number of non-TCP Sampling flows (part 3) flows COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  17. Counting flows • Goal: Unbiased, accurate flow counts for arbitrary post aggregation of the flows. COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  18. Flow Counting Extension • Use “adaptive sampling” by Wegman and Flajolet • Keep a table of all flow identifiers with hash(flowID)<1/2 depth • At analysis scale flow counts by 2 depth • Implement with CAM • To fit memory, increase depth dynamically COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  19. Relationship to IPFIX • SCTP-PR: use different priority levels for different report sizes • draft-ipfix-protocol-3, section 8: – The sampling rate can vary frequently, should it be in the Flow Record or an Option Record? – If exporting multiple reports at different effective sampling rates, the same flow may be exported more than once, how should this be handled? • Would this require a separate template to export? – Basically the only thing to be exported here are the Flow Keys themselves. COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  20. Measurements • Limited time, so for more details and results: • http://www.caida.org/outreach/papers/ 2004/tr-2004-03/ COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  21. ANF results COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

  22. FCE results COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD-CSE University California, San Diego – Department of Computer Science

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&amp;A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt;

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt;

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt; NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security &amp; Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016 Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach

510 views • 32 slides
Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features Command-line based GUI: Traviz Extendable by plugins Fast and simple Practitioners: Anomaly and security related flags Researchers: Full

395 views • 11 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0

NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0

Advanced Registry Operations Curriculum NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) as part of the ICANN, ISOC and NSRC

1.04k views • 63 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number or compromises escalates and our

182 views • 15 slides
It All Adds Up TODAY'S TAKEAWAYS KEY CONCEPTS ABOUT THE PRESENTERS OUR STORY Over 25 Years

It All Adds Up TODAY'S TAKEAWAYS KEY CONCEPTS ABOUT THE PRESENTERS OUR STORY Over 25 Years

Troubleshooting Melissa Moore, Certified Prevention 2020 ALCOHOL POLICY CONFERENCE Strengthen Relationships Strategies to Identify &amp; Tips to Assess &amp; Engage Finding What Works Our Story Specialist, Marathon County Health 2020

475 views • 12 slides
Applications of Normal Quantile Plots David Rose June 13, 2011 David Rose () Applications of

Applications of Normal Quantile Plots David Rose June 13, 2011 David Rose () Applications of

Applications of Normal Quantile Plots David Rose June 13, 2011 David Rose () Applications of Normal Quantile Plots June 13, 2011 1 / 7 The TI-84 Normal Quantile Plot Given a ranked SRS of size n , x 1 x 2 x n how does

177 views • 7 slides
Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec. 12, 2015 Joint work with Bo Xiao, Chenhan Yu, Sameer Tharakan, and George Biros Kernel Matrix Approximation x i R d i = 1 , . . . , N points

617 views • 26 slides
ECE/CS 250 Computer Architecture Summer 2019 Basics of Logic Design: Finite State Machines

ECE/CS 250 Computer Architecture Summer 2019 Basics of Logic Design: Finite State Machines

ECE/CS 250 Computer Architecture Summer 2019 Basics of Logic Design: Finite State Machines Tyler Bletsch Duke University Slides are derived from work by Daniel J. Sorin (Duke), Drew Hilton (Duke), Alvy Lebeck (Duke), Amir Roth (Penn)

371 views • 24 slides
What does the data tell us about outcomes of EVAR in challenging anatomy? UCSF Vascular Surgery

What does the data tell us about outcomes of EVAR in challenging anatomy? UCSF Vascular Surgery

What does the data tell us about outcomes of EVAR in challenging anatomy? UCSF Vascular Surgery Symposium 2018 Sukgu M Han, MD, MS Assistant Professor of Clinical Surgery Co-director, Comprehensive Aortic Center Division of Vascular Sugery

693 views • 21 slides
Acknowledgement Jeremy Gow jennifer george 1 Last weeks lecture Measuring digital

Acknowledgement Jeremy Gow jennifer george 1 Last weeks lecture Measuring digital

FY04: Introduction to the use of computers jennifer george Acknowledgement Jeremy Gow jennifer george 1 Last weeks lecture Measuring digital data Bits Bytes Kilobytes Megabytes ... SI and Binary units

325 views • 17 slides
CS 115 Lecture 4 More Python; testing software Neil Moore Department of Computer Science

CS 115 Lecture 4 More Python; testing software Neil Moore Department of Computer Science

CS 115 Lecture 4 More Python; testing software Neil Moore Department of Computer Science University of Kentucky Lexington, Kentucky 40506 neil@cs.uky.edu 8 September 2015 Syntax: Statements A statement is the smallest unit of code that can

2.06k views • 173 slides
Introduction to Parallel Computing Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To

Introduction to Parallel Computing Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To

Introduction to Parallel Computing Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To accompany the text Introduction to Parallel Computing, Addison Wesley, 2003. Topic Overview Motivating Parallelism Scope of Parallel

421 views • 15 slides

More recommend