Design and Evaluation of HTTP Protocol Parsers for IPFIX - PowerPoint PPT Presentation

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tomáš Jirsík, Pavel Čeleda {velan|jirsik|celeda}@ics.muni.cz 19th EUNICE Workshop on Advances in Communication Networking 28-30 August 2013, Chemnitz, Germany

Part I Introduction Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 2 / 19

Motivation and R&D Goals – I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

Motivation and R&D Goals – I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Today Applications Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

Motivation and R&D Goals – I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Today Applications HTTP - “new Transmission Control Protocol” - new TCP Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

Motivation and R&D Goals – II How to add application visibility to flow? Application labeling (protocol recognition) Application data (deep packet inspection) Use the best DPI parsers to extend the flow Speed and accuracy is the most important factor We set out to find the best parser for HTTP protocol Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 4 / 19

Part II HTTP Parser Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 5 / 19

General HTTP Parser Design GET /wiki/Hypertext_Transfer_Protocol HTTP/1.1\r\n Host: en.wikipedia.org\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: cs,en-us;q=0.7,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Referer: http://cs.wikipedia.org/wiki/Hypertext_Transfer_Protocol\r\n Connection: keep-alive\r\n If-Modified-Since: Sat, 22 Jun 2013 17:32:12 GMT\r\n Cach-Control: max-age=0\r\n \r\n Find one of HTTP , POST , GET , CONNECT , PUT , DELETE , HEAD , TRACE method Parse status code or URI Try to find matching header fields for User-Agent , Content-Type , Host , Referer End when double end of line ( ’\r\n’ ) is encountered Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 6 / 19

Evaluated Parser Types No application parser - L2 through L4 flow exporters No HTTP - no special parser, reference measurement String compare - nProbe, FlowMon strcmp - hand-written parser standard version optimized strcmp - highly optimized hand-written parser Regular expression - YAF pcre - parser using Perl Compatible Regular Expressions Finite automaton - our approach flex - parser using flex generated finite automaton optimized flex - optimization of flex parser Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 7 / 19

Flex Parser Schema Protocol labeling Protocol parsing User-Agent p o n s e + s R e s t a t u P s T c o H T d e Content-Type Referer Host HTTP Start Initial HTTP Headers Request Method + URL P T T H HTTP Invalid character EOF or \r\n\r\n or \r or \n r e t c a r a n h c \ d r a l i o v Not I n r \ r o End HTTP Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 8 / 19

Part III Experiment Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 9 / 19

Measurement Setup Hard Drive HTTP Dataset Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

Measurement Setup FlowMon Exporter HTTP Hard Drive Memory Parser HTTP Dataset Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

Measurement Setup FlowMon Exporter HTTP Packet Rate Hard Drive Memory Parser Measurement HTTP Dataset Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

Measurement Setup II Dataset HTTP request and response packets Data packets with binary payload Created data sets containing 0 - 100 % of HTTP packets Modified data packets with End of Line only at start and end Measurement 1) Throughput measurement 2) Parsed HTTP header fields impact 3) Packet content effect Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 11 / 19

Part IV Results Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 12 / 19

Throughput – 1500 B Snaplen 11 no HTTP 6 optimized strcmp strcmp Packets/s (x 10 6 ) 5 optimized flex flex 4 pcre 3 2 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Throughput for data with x % of HTTP header packets Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 13 / 19

Throughput – 384 B Snaplen 12 no HTTP optimized strcmp 6 strcmp Packets/s (x 10 6 ) optimized flex 5 flex pcre 4 3 2 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Throughput for data with x % of HTTP header packets Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 14 / 19

Parsed HTTP Header Fields Impact 3.5 3 2.5 Packets/s (x 10 6 ) optimized strcmp strcmp 2 optimized flex flex 1.5 pcre 1 0.5 0 0 1 2 3 4 5 6 7 : An HTTP parser throughput for 1500 B packets; supported fields - (0) none - HTTP protocol labeling, (1) +host , (2) +method , (3) +status code , (4) +request URI , (5) +content type , (6) +referer , (7) +user agent Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 15 / 19

Packet Content Effect - Strcmp Parser 3 beginning end unchanged 2 Packets/s (x 10 6 ) 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Packet content effect - packet length 1500 B. Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 16 / 19

Part V Conclusion Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 17 / 19

Conclusion Summary Application data is required to ensure high level of security Fast parsing algorithms, throughput deterioration Hand-written parsers vs. generated parsers Future Work Extensibility - new protocols, more thorough inspection Increasing throughput - examine only necessary data Data processing - storage and evaluation Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 18 / 19

Thank You For Your Attention! Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan IPFIX velan@ics.muni.cz IPFIX IPFIX Tomáš Jirsík IPFIX IPFIX IPFIX jirsik@ics.muni.cz HTTP HTTP HTTP Pavel Čeleda celeda@ics.muni.cz Plugins for HTTP Monitoring http://www.muni.cz/ics/920232/web/http-plugins Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 19 / 19