Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin - - PowerPoint PPT Presentation

large scale geolocation for netflow
SMART_READER_LITE
LIVE PREVIEW

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin - - PowerPoint PPT Presentation

Oct 29, 2022 37 likes •298 views

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin Rbek Rick Hofstede, Aiko Pras {celeda|velan|xrabek1}@ics.muni.cz, {r.j.hofstede|a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013, Ghent, Belgium Part I Introduction

slide-1
SLIDE 1

Large-Scale Geolocation for NetFlow

Pavel Čeleda, Petr Velan, Martin Rábek Rick Hofstede, Aiko Pras

{celeda|velan|xrabek1}@ics.muni.cz, {r.j.hofstede|a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013, Ghent, Belgium

slide-2
SLIDE 2

Part I Introduction

Pavel Čeleda Large-Scale Geolocation for NetFlow 2 / 22

slide-3
SLIDE 3

Motivation and R&D Goals – I

: SURFmap - a Network Monitoring Tool Based on the Google Maps API.

Pavel Čeleda Large-Scale Geolocation for NetFlow 3 / 22

slide-4
SLIDE 4

Motivation and R&D Goals – II

How flow-based geolocation can be performed in a large-scale? exporter-based approach, collector-based approach. How can we benefit from geolocation data in flow records? traffic engineering, traffic profiling, anomaly detection.

Pavel Čeleda Large-Scale Geolocation for NetFlow 4 / 22

slide-5
SLIDE 5

Part II Architecture

Pavel Čeleda Large-Scale Geolocation for NetFlow 5 / 22

slide-6
SLIDE 6

Exporter-Based Geolocation

Packets NetFlow v9 Input Flow cache Export

Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

slide-7
SLIDE 7

Exporter-Based Geolocation

Packets NetFlow v9 Input Flow cache Export Flows Geolocated flows GeoPlugin

Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

slide-8
SLIDE 8

Exporter-Based Geolocation

Packets NetFlow v9 Input Flow cache Export Flows Geolocated flows GeoPlugin

exporter filter plugin for IP address geolocation, NetFlow v9 template mapping – GEO data to AS fields SRC_AS=*SRC_GEO, DST_AS=*DST_GEO, AS mapping → transparent to any flow collector.

Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

slide-9
SLIDE 9

MaxMind GeoLite Country Database

MaxMind GeoLite – free off-line country database, C-API for IPv4/IPv6 geolocation.

2 4 6 8 10 12 14 16 IPv4 IPv6 Queries/s (x 106) Standard Memory cache Check cache MMAP cache

: IPv4/IPv6 geolocation database performance.

Pavel Čeleda Large-Scale Geolocation for NetFlow 7 / 22

slide-10
SLIDE 10

Collector-Based Geolocation

Data collection NetFlow v5, v9 Geolocation nfcapd

patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data.

Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

slide-11
SLIDE 11

Collector-Based Geolocation

Data collection NetFlow v5, v9 Geolocation nfcapd Storage

patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data.

Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

slide-12
SLIDE 12

Collector-Based Geolocation

Data collection NetFlow v5, v9 Geolocation nfcapd Storage Data processing Top-N stats Aggregation Filtering Raw data NfSen Web UI (profiles) nfprofile nfdump

patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data.

Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

slide-13
SLIDE 13

NFDUMP Database Extension #15 – Country Code

Flow Record: Flags = 0x06 Unsampled size = 80 first = 1348387461 [2012-09-23 10:04:21] last = 1348387462 [2012-09-23 10:04:22] msec_first = 890 msec_last = 100 src addr = 23.63.79.144 dst addr = 147.251.170.165 src port = 80 dst port = 57046 tcp flags = 0x1a .AP.S. proto = 6 (in)packets = 4 (in)bytes = 936 input = 5 src as = 20940 dst as = 2852 in src mac = 00:0e:38:5e:30:c0

  • ut dst mac

= 00:1e:be:8b:26:c0 src ctry = 840 ... ISO 3166-1 country code - US dst ctry = 203 ... ISO 3166-1 country code - CZ

Pavel Čeleda Large-Scale Geolocation for NetFlow 9 / 22

slide-14
SLIDE 14

NFDUMP Flow Listing

a) numeric code – %scc %dcc

  • 194.228.29.173:0147.251.48.205:3.13

147.251.210.106:5188569.171.227.59:443 151.40.40.243:15833147.251.79.246:49159 157.55.235.165:40040147.251.215.10:49464 147.251.170.77:5940889.79.20.120:18973

b) alpha-2 code – %sccan %dccan

  • 194.228.29.173:0147.251.48.205:3.13

147.251.210.106:5188569.171.227.59:443 151.40.40.243:15833147.251.79.246:49159 157.55.235.165:40040147.251.215.10:49464 147.251.170.77:5940889.79.20.120:18973

Usage example

nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \

  • r 2012/09/23/nfcapd.201209231005 \
  • o ’fmt:%pr %sap -> %dap %sccan %dccan’ -m -c 20

Pavel Čeleda Large-Scale Geolocation for NetFlow 10 / 22

slide-15
SLIDE 15

NFDUMP Geofiltering

Geofiltering country filter syntax is similar to other NFDUMP filters syntax : ctry [comp] <num>, country can be compared to a list (red-black tree) of country codes, syntax : ctry in [ <ctrylist> ], filters are often used for traffic profilling in NfSen. Usage example

nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \

  • r 2012/09/23/nfcapd.201209232035 -c 5 \

’src ctry 203 and not dst ctry in [ 203 840 166 ]’

Pavel Čeleda Large-Scale Geolocation for NetFlow 11 / 22

slide-16
SLIDE 16

NfSen Geoprofiling

: Screenshot of collector-based geolocation prototype.

Pavel Čeleda Large-Scale Geolocation for NetFlow 12 / 22

slide-17
SLIDE 17

Part III Use Case I – Traffic Profiling

Pavel Čeleda Large-Scale Geolocation for NetFlow 13 / 22

slide-18
SLIDE 18

Geolocated and Non-geolocated ICMP Traffic – I

  • 150
  • 100
  • 50

50 100 150 00:00 02:00 04:00 06:00 08:00 10:00 12:00 Packets/s IN OUT (1) (2) (3) (4) In Out

: ICMP traffic.

Pavel Čeleda Large-Scale Geolocation for NetFlow 14 / 22

slide-19
SLIDE 19

Geolocated and Non-geolocated ICMP Traffic – II

  • 150
  • 100
  • 50

50 100 150 00:00 02:00 04:00 06:00 08:00 10:00 12:00 Packets/s IN OUT (1) (2) (3) (4) UA US Other CZ

: Geolocated ICMP traffic.

Pavel Čeleda Large-Scale Geolocation for NetFlow 15 / 22

slide-20
SLIDE 20

Distribution of HTTPS Traffic over Countries – I

  • 200
  • 150
  • 100
  • 50

50 100 150 Flows/s IN OUT US CZ Other

: HTTPS flows/s.

Pavel Čeleda Large-Scale Geolocation for NetFlow 16 / 22

slide-21
SLIDE 21

Part IV Use Case II – Anomaly Detection

Pavel Čeleda Large-Scale Geolocation for NetFlow 17 / 22

slide-22
SLIDE 22

Bad Neighboring Countries

50 100 150 200 250 300 00:00 06:00 12:00 18:00 00:00 Flows/s All countries China

: Incoming TCP SYN-only flows.

Pavel Čeleda Large-Scale Geolocation for NetFlow 18 / 22

slide-23
SLIDE 23

UDP DoS Attack

  • 12000
  • 10000
  • 8000
  • 6000
  • 4000
  • 2000

2000 18:00 19:00 20:00 21:00 22:00 23:00 00:00 Packets/s IN OUT DNS In/Out US DNS In/Out

: UDP DoS attack from infected Linux machine.

Pavel Čeleda Large-Scale Geolocation for NetFlow 19 / 22

slide-24
SLIDE 24

Part V Conclusion

Pavel Čeleda Large-Scale Geolocation for NetFlow 20 / 22

slide-25
SLIDE 25

Conclusion

Summary country-level information in flow data, native geolocation support for NfSen/NFDUMP, pilot geo-prototype deployment at MU – CESNET link. Future Work IPFIX-compliant prototype for exporter-based geolocation, ipfixcol – AS and GEO support implementation, AS + GEO data for traffic profiling and anomaly detection.

Pavel Čeleda Large-Scale Geolocation for NetFlow 21 / 22

slide-26
SLIDE 26

Thank You For Your Attention!

  • P. Čeleda, P. Velan, M. Rábek

{celeda|velan|rabek}@ics.muni.cz

  • R. Hofstede, A. Pras

{r.j.hofstede|a.pras}@utwente.nl

Geolocation Toolset

http://www.muni.cz/research/publications/1090804

Large-Scale Geolocation for NetFlow

Pavel Čeleda Large-Scale Geolocation for NetFlow 22 / 22