how is sunet really used
play

How is SUNET really used? Results of traffic classification on - PowerPoint PPT Presentation

Apr 03, 2024 •529 likes •760 views

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

  1. MonNet – a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

  2. Introduction: Measurement location • 2x 10 Gbit/s (OC-192) • capturing headers only Internet Internet • IP addresses anonymized • tightly synchronized • bidirectional per-flow analysis Stockholm GSIX l a l n a Göteborg o n i o g i e g s GU R e P s R P S I S I Chalmers Other smaller Univ. and Institutes SUNET TrefPunkt 17 2007-11-15

  3. Introduction: Motivation • Problem: – Operators don’t know type of their traffic – How to: • Improve network design and provisioning? • Support QoS support or security monitoring? • Enhance accounting possibilities? • Reveal trends and changes in network applications? SUNET TrefPunkt 17 2007-11-15

  4. Introduction: Motivation (2) • Solution: Network classification – Four approaches in literature: 1. Port numbers + easy to implement - unreliable (P2P, malicious traffic) 2. Packet payloads + accurate - requires updated payload signatures - privacy and legal issues - high processing requirements SUNET TrefPunkt 17 2007-11-15

  5. Introduction: Motivation (3) • Solution: Network classification (contd.) 3. Statistical fingerprinting + no detailed packet information needed - depending on quality of training data - promising, but still immature 4. Connection patterns + no payload required + no training data required - not perfect accuracy SUNET TrefPunkt 17 2007-11-15

  6. Introduction: Overview • Connection classification • Overview of proposed heuristics • Verification of methodology • Results • Traffic volumes • Diurnal patterns • Signaling behavior • Summary of more results SUNET TrefPunkt 17 2007-11-15

  7. Methodology: Traffic Classification • Two articles classify P2P flows according to connection patterns: – Karagiannis et al., 2004 – Perenyi et al., 2006 • Updated classification heuristics: – Refined the heuristics in prior articles – Added new, necessary heuristics SUNET TrefPunkt 17 2007-11-15

  8. Methodology: Proposed Heuristics • Rules based on connection patterns and port numbers – 5 rules for P2P traffic – 10 rules to classify other types of traffic • remove ‘false positives’ from P2P – Rules are applied: • On flows in 10 minute intervals • Independently on all flows and Prioritized when fetched from the database SUNET TrefPunkt 17 2007-11-15

  9. Methodology: Proposed Heuristics (2) – Heuristics for potential P2P traffic (H1-H5) • All traffic to and from potential P2P hosts is marked as P2P traffic • H1: TCP and UDP traffic between IP pair • H2: Well known P2P ports • H3: Re-usage of source port within short time • H4: Non-parallel connections to endpoint (IP/Port) • H5: unclassified, long flows – unclassified by H1-H5 and F1-F10 – more than 1MB in one direction or – duration of more than 10 minutes SUNET TrefPunkt 17 2007-11-15

  10. Methodology: Proposed Heuristics (3) – Heuristics for other traffic (F1-F10) • F1 and F2: Web servers: – parallel connections to Web ports – All traffic to and from Web server is Web-traffic • F3: common services (DNS, BGP) – Equal source and destination port and port<501 • F4: Mail servers: – Hosts receiving traffic on mail ports (smtp, imap, pop) while sending traffic via smtp – All traffic to and from Mail servers is Mail-traffic SUNET TrefPunkt 17 2007-11-15

  11. Methodology: Proposed Heuristics (3) – Heuristics for other traffic (F1-F10) • F5 and F6: Messenger and Gaming – Hosts, connected to by a number of different IPs on well- known messenger, chat or gaming ports within a period of 10 days – All traffic to and from these hosts is messenger or gaming • F7: FTP – Active FTP with initiating port number of 20 • F8: non P2P ports: – Some well-known, privileged port numbers, typically not used by P2P like dns, telnet, ssh, ftp, mail, rtp, bgp … SUNET TrefPunkt 17 2007-11-15

  12. Methodology: Proposed Heuristics (3) – Heuristics for other traffic (F1-F10) • F9: malicious and attack traffic – Scans through IP ranges – Scans through port ranges – DoS or “hammering attacks” to few hosts in high frequency • F10: unclassified, known non-P2P Port – unclassified by H1-H4 and F1-F9 (no connection pattern) – Well known ports including Web, messenger and gaming SUNET TrefPunkt 17 2007-11-15

  13. Verification of proposed heuristic • Comparison of classification for P2P traffic # connections in 10 6 Amount of data in TB SUNET TrefPunkt 17 2007-11-15

  14. 2007-11-15 • Application breakdown April 2006 Results: Traffic Volumes SUNET TrefPunkt 17

  15. Results: Traffic Volumes (2) • Application breakdown April till Nov. 2006 SUNET TrefPunkt 17 2007-11-15

  16. Results: Diurnal Patterns • Fractions of P2P data, April till November 1 0.9 0.8 0.7 Linear (2AM P2P data) 0.6 Linear (10AM P2P data) Linear (14PM P2P data) 0.5 Linear (20PM P2P data ) 0.4 0.3 0.2 0.1 0 1143000000 1148000000 1153000000 1158000000 1163000000 SUNET TrefPunkt 17 2007-11-15

  17. Results: Signaling Behavior • Connection establishment for P2P, Web and malicious traffic SUNET TrefPunkt 17 2007-11-15

  18. Summary of Results • Traffic is increasing for TCP and UDP • Highest activity during evening hours • P2P dominating (~90 % of data volume) • P2P peak time at evening and night-time • Web peak time during office hours • Fractions of P2P and Web constant • Malicious traffic constant in absolute numbers • 'background noise' SUNET TrefPunkt 17 2007-11-15

  19. Summary of Results (2) • Major differences in signaling behavior • 43% of TCP P2P connections 1-packet flows (attempts) • 80% of malicious TCP traffic 1-packet flows (scans) • Web traffic behaving ‘nicely‘ • Different TCP options deployment • P2P behaves as expected • Web traffic shows artifacts of client-server patter e.g. popular web-servers neglecting SACK option SUNET TrefPunkt 17 2007-11-15

  20. References • W. John and S. Tafvelin, Analysis of Internet Backbone Traffic and Anomalies observed , ACM IMC07, San Diego, USA, 2007. • W. John and S. Tafvelin, Differences between in- and outbound Internet Backbone Traffic , TNC07, Copenhagen, DK, 2007. Available on: http://www.ce.chalmers.se/~johnwolf • W. John and S. Tafvelin, Heuristics to Classify Internet Backbone Traffic based on Connection Patterns , accepted at IEEE ICOIN08 • W. John and S. Tafvelin and Tomas Olovsson, Trends and Differences in Connection Behavior within Classes of Internet Backbone Traffic , submitted for publication Available on request: johnwolf@ce.chalmers.se or as Paper copy SUNET TrefPunkt 17 2007-11-15

  21. MonNet – a project for network and traffic monitoring Thank you very much for you attention! Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero touch Connectivity Per Nihln per@sunet.se What are we doing Eduroam The

Zero touch Connectivity Per Nihln per@sunet.se What are we doing Eduroam The

Zero touch Connectivity Per Nihln per@sunet.se What are we doing Eduroam The Cloud Local initiatives IG campaign Concession for mobility Strategy for new services What are we doing Eduroam The Cloud

559 views • 6 slides
Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The Rendering Equation Monte Carlo Integration A Basic Path Tracer Variance Reduction and Optimisation Techniques Additional Resources Plan From Ray

1.08k views • 54 slides
Kommunikation i rymden Mats Holmstrm Institutet fr rymdfysik (IRF) SUNET TREFpunkt Kiruna

Kommunikation i rymden Mats Holmstrm Institutet fr rymdfysik (IRF) SUNET TREFpunkt Kiruna

Kommunikation i rymden Mats Holmstrm Institutet fr rymdfysik (IRF) SUNET TREFpunkt Kiruna 30 mars 2004 versikt ASPERA-3 p Mars Express Vetenskapliga ml och bakgrund Nulge Mars Express dataflden Fysiskt

837 views • 47 slides
CS255 Programming Assignment #1 Programming Assignment #1 Due: Friday Feb 10 th (11:59pm)

CS255 Programming Assignment #1 Programming Assignment #1 Due: Friday Feb 10 th (11:59pm)

CS255 Programming Assignment #1 Programming Assignment #1 Due: Friday Feb 10 th (11:59pm) Can use extension days Can work in pairs One solution per pair Test and submit on Sweet Hall machines SCPD students: get SUNet

553 views • 22 slides
PANEL DISCUSSION - Zero Touch Connectivity Henrik Wessing, DTU Frans Panken, SURFnet Per

PANEL DISCUSSION - Zero Touch Connectivity Henrik Wessing, DTU Frans Panken, SURFnet Per

PANEL DISCUSSION - Zero Touch Connectivity Henrik Wessing, DTU Frans Panken, SURFnet Per Nihlen, SUNET Architecture Workshop Tony Breach, NORDUnet 10- 13 November 2014 moderator Copenhagen connect communicate collaborate Its just

465 views • 15 slides
Managing your data Niclas Jareborg, NBIS niclas.jareborg@nbis.se Introduction to NGS course

Managing your data Niclas Jareborg, NBIS niclas.jareborg@nbis.se Introduction to NGS course

Managing your data Niclas Jareborg, NBIS niclas.jareborg@nbis.se Introduction to NGS course Research infrastructure landscape Organizational mayhem Swedish Universitites SciLifeLab SUNET National platforms Data Office NBIS SNIC ELIXIR

1.09k views • 79 slides
SciLifeLab Bioinformatics Platform National Bioinformatics Infrastructure Sweden (NBIS) Niclas

SciLifeLab Bioinformatics Platform National Bioinformatics Infrastructure Sweden (NBIS) Niclas

SciLifeLab Bioinformatics Platform National Bioinformatics Infrastructure Sweden (NBIS) Niclas Jareborg NGS course Lund 2017-10-27 Research infrastructure landscape Organizational mayhem Swedish Universitites SciLifeLab SUNET National

447 views • 31 slides
Connectivity at Onsala Space Observatory Roger Hammargren roger.hammargren@chalmers.se Now and

Connectivity at Onsala Space Observatory Roger Hammargren roger.hammargren@chalmers.se Now and

Connectivity at Onsala Space Observatory Roger Hammargren roger.hammargren@chalmers.se Now and the future of the SUNET Network (Swedish University NETwork) Future connectivity to Onsala Equipment at Onsala Local connectivity Background

575 views • 23 slides
The Need for Collaboration between ISPs and P2P 1 P2P systems from an ISP view Structured

The Need for Collaboration between ISPs and P2P 1 P2P systems from an ISP view Structured

The Need for Collaboration between ISPs and P2P 1 P2P systems from an ISP view Structured DHTs (distributed hash tables), e.g., Chord, Pastry, Tapestry, CAN, Tulip, Globally consistent protocol with efficient search

1.07k views • 59 slides
iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 4 17ws 1 / 43 Outline Meta

1.55k views • 57 slides
Welcom ome! e! Campaign for Community Wellness June 26, 2020 10:00 a.m. to 11:30 a.m. Zoom

Welcom ome! e! Campaign for Community Wellness June 26, 2020 10:00 a.m. to 11:30 a.m. Zoom

Welcom ome! e! Campaign for Community Wellness June 26, 2020 10:00 a.m. to 11:30 a.m. Zoom Meeting Meeting Protocols Please use the mute button on your phone or in Zoom to eliminate background noise. Mute and unmute mic if using

607 views • 11 slides
Welcome in Heraklion! The Schedule for Today Keynote Please Respect the Timing 15 minutes

Welcome in Heraklion! The Schedule for Today Keynote Please Respect the Timing 15 minutes

Welcome in Heraklion! The Schedule for Today Keynote Please Respect the Timing 15 minutes per presenter in total Please plan on wrapping up your presentation in 12 minutes to leave sufficient time for Q&amp;A Dont Forget the Poster

512 views • 11 slides
Networking CS217 Fall2001 1 Client/Server

Networking CS217 Fall2001 1 Client/Server

Networking CS217 Fall2001 1 Client/Server Server:processthatprovidesaservice e.g.,fileserver,webserver,mailserver calledapassiveparticipant:waitstobecontacted

643 views • 4 slides
2020 Projections were then developed by 2020 Projections were then developed by aggregating

2020 Projections were then developed by 2020 Projections were then developed by aggregating

2020 Projections were then developed by 2020 Projections were then developed by aggregating segments into major mail classes aggregating segments into major mail classes Volume Forecast Key drivers Volume Forecast Key drivers Fall to approx.

500 views • 3 slides
The secrets of WFM Call Centre Helper conference 2 nd April 2019 John Casey Ccplanning

The secrets of WFM Call Centre Helper conference 2 nd April 2019 John Casey Ccplanning

The secrets of WFM Call Centre Helper conference 2 nd April 2019 John Casey Ccplanning John.Casey@ccplanning.net The secrets of WFM Making Resource Planning real The secrets of WFM Top Tip The secrets of WFM Principles of WFM These

467 views • 21 slides
The Best Kept Secrets of WFM Sponsored by The Classic Schedule Problem Login to our Chat Page

The Best Kept Secrets of WFM Sponsored by The Classic Schedule Problem Login to our Chat Page

WEBINAR The Best Kept Secrets of WFM Sponsored by The Classic Schedule Problem Login to our Chat Page cch.chat Login to our Chat Page cch.chat Sponsored by Where Possible use 15 Minute Reporting Intervals Beware of Overhang AHT

489 views • 11 slides
Watch for Me NC Pedestrian and Bicycle Safety Program: 2015 Partner Kick off May 21, 2015

Watch for Me NC Pedestrian and Bicycle Safety Program: 2015 Partner Kick off May 21, 2015

Watch for Me NC Pedestrian and Bicycle Safety Program: 2015 Partner Kick off May 21, 2015 Meeting Agenda Welcome and Introductions Watch for Me NC Overview and Goals Technical Assistance Available to Partners Project Timeline and

453 views • 23 slides
Panda, a Pilot-based workflow manager New Mexico Grid School April 8, 2009 Marco Mambelli

Panda, a Pilot-based workflow manager New Mexico Grid School April 8, 2009 Marco Mambelli

Panda, a Pilot-based workflow manager New Mexico Grid School April 8, 2009 Marco Mambelli University of Chicago marco@hep.uchicago.edu The ATLAS VO Virtual Organization in OSG (and other Grids) In OSG since the

545 views • 18 slides
Wake field monitors conception, installation and measurements in the CTF3 TBM and TBTS Reidar

Wake field monitors conception, installation and measurements in the CTF3 TBM and TBTS Reidar

Wake field monitors conception, installation and measurements in the CTF3 TBM and TBTS Reidar Lunde Lillestl The University of Oslo / CERN 28. January 2015 1/30 Introduction / Motivation CTF3 Measurements Summary / Outlook Outline 1

355 views • 31 slides
A workflow-inspired, modular and robust approach to experiments in distributed systems Tomasz

A workflow-inspired, modular and robust approach to experiments in distributed systems Tomasz

Introduction State of the art Contribution and Evaluation Conclusions A workflow-inspired, modular and robust approach to experiments in distributed systems Tomasz Buchert, Lucas Nussbaum, Jens Gustedt T. Buchert, L. Nussbaum, J. Gustedt A

278 views • 27 slides
Learning What and Where to Transfer Yunhun Jang* 1,2 , Hankook Lee* 1 , Sung Ju Hwang 3,4,5 ,

Learning What and Where to Transfer Yunhun Jang* 1,2 , Hankook Lee* 1 , Sung Ju Hwang 3,4,5 ,

Learning What and Where to Transfer Yunhun Jang* 1,2 , Hankook Lee* 1 , Sung Ju Hwang 3,4,5 , Jinwoo Shin 1,4,5 1 School of Electrical Engineering, KAIST 2 OMNIOUS 3 School of Computing, KAIST 4 Graduate School of AI, KAIST 5 AITRICS * Equal

897 views • 34 slides
pomsets Workflow management for your cloud Michael Pan nephosity In the future, the rapidity

pomsets Workflow management for your cloud Michael Pan nephosity In the future, the rapidity

pomsets Workflow management for your cloud Michael Pan nephosity In the future, the rapidity with which any given discipline advances is likely to depend on how well the community acquires the necessary expertise in database, workflow

471 views • 20 slides
Data-Centric Workflow and Business Processes Victor Vianu and Jianwen Su Outline n Introduction

Data-Centric Workflow and Business Processes Victor Vianu and Jianwen Su Outline n Introduction

Data-Centric Workflow and Business Processes Victor Vianu and Jianwen Su Outline n Introduction Jianwen n Theoretical work on analysis of data-driven workflows Victor n Survey of issues in practical data-driven workflows Jianwen n Discussions of

760 views • 57 slides
Damstra Technology ASX Small and Mid-Cap Conference 2020 10 September 2020 Financial data is

Damstra Technology ASX Small and Mid-Cap Conference 2020 10 September 2020 Financial data is

Damstra Technology ASX Small and Mid-Cap Conference 2020 10 September 2020 Financial data is provided on a pro forma basis except where explicitly stated otherwise Important notice and disclaimer This presentation includes general information

526 views • 28 slides

More recommend