Traffic Measurement Lothar Braun Outline q Why do we need to - - PowerPoint PPT Presentation

Chair for Network Architectures and Services

Department of Informatics Technische Universität München

Traffic Measurement

Lothar Braun

2

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurement q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

3

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurement q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

4

Why do You Measure in the Lab?

q Task: Setup your lab environment q It doesn’t work! q What do you do to find the problem?

5

Why do We Need to Measure in the Internet?

q Problems get worse in large-scale networks q Openness

§ No/little access control for new Internet participants § Free deployment of new applications and services

q Heterogeneity

§ Different technologies at lower layers § Different protocols and services on top of IP

è different requirements / different failures

q Consequences for network operators

§ Little control of utilization of network resources è possible misuse: hackers, attacks, spam § Little knowledge about applications and services è unpredictable traffic

à à Traffic measurements can help to understand our network

6

Applications of Traffic Measurements

q What information is useful for network operators? q Network monitoring

§ Fault detection § Connectivity and routing

q Performance measurements

§ Link capacity and utilization § Quality of Service parameters (delay, jitter, throughput)

q Accounting and charging

§ Traffic volume per customer or peering AS

q Network security

§ Worm and attack detection Map of the MWN (December 2010)

7

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurement q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

8

Active Measurements

q Methodology

§ Probe packets exchanged between two end-systems § Measurement of packet loss,

• ne-way delay, round-trip times,

packet interarrival times

q Analysis

§ Complete packet loss è link down, invalid route, router defect § Partial packet loss è available bandwidth, level of congestion § Delay = propagation time + buffer time è distance, filling level of buffers § Interarrival times of packet pairs/trains è path capacity

q Pros and cons

§ Does not require access to internal network components § Intrusive è existing traffic is disturbed § No information about existing traffic

Network

Sender Receiver

9

Passive Measurements (= Focus of this Lab)

q Methodology

§ Observation of existing traffic using monitoring probes in the network § Measurement of traffic volume, traffic composition, packet interarrival times § Different levels of granularity: packet-level, flow-level, link-level

q Analysis

§ Measurement of network utilization for accounting and traffic engineering § Measurement of quality-of-service parameters (e.g., throughput, delay) § Detection of failures, traffic anomalies, flooding attacks and scans § Traffic characterization with deep packet inspection

q Pros and cons

§ Non-intrusive è existing traffic is not disturbed § Installation of monitoring probes at appropriate locations in the network

Network

Monitoring Probe

10

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurement q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

11

Packet-Level Measurements

q Gather information about individual packets:

§ Observation time § Location (interface and direction) § Packet header information (link layer, IP header, transport header) § Packet payload

31 16

Source Port Destination Port Sequence Number Acknowledgement

4 bit TCP header length

6 bit unused U R G A C K P S H R S T S Y N F I N

Window Checksum Urgent Pointer Options GET /index.html HTTP/1.1 ... Application ports Connection Information Application payload

12

Using Packet-Level Measurements

q You already used packet-level measurements

§ For understanding the SCTP traffic in the SCTP lab You can look at all the packets You can look into the packets You can identify problems with the packets You can look into the application protocol

13

Signature Detection in Packets

q Some applications try to look for patterns in the payload

§ Application identification § Search for attacks like worm or botnet traffic

q Application detection

§ Idea: Identify an application by looking for specified protocol fields § Example: HTTP

• GET /index.html HTTP/1.1

q Malicious traffic detection

§ Idea: Security analysts know how malicious traffic looks like § Signature detection systems try to find such patterns § These systems are often called Intrusion Detection Systems

14

Example: IRC-based botnets

q Internet Relay Chat (IRC)

§ Real-time chat § Users join a chat room § Also used by botnets to control bot clients

q Important properties

§ Every user must choose a nickname § Each nickname must be unique

• n a network

à Bot clients need to generate nicknames

q Intrusion Detection Systems

can look for such automatically generated nicks

15

Signature Detection: Snort

q Snort is an Intrusion Detection System q Operation

§ Capture network packets like wireshark § Perform signature matching on packets according to signature database

q Signature database must be configured by the users

alert tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; flowbits:isset,is_proto_irc; content:"USER XP-"; pcre:"/USER XP-[A-z0-9]{4,8} \* 0 \:.*/"; msg:"E4[rb] ET TROJAN Likely Bot Username in IRC (XP-..)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008123; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/ TROJAN_IRC_Bots; sid:2008123; rev:4;)

16

Using Packet-Level Measurements

q Also useful: tcpdump q It will give you network

and transport layer information about the traffic

q Important information:

§ Packet loss

q Not a problem on my

desktop system, but …

17

Packet-Level Measurements in Large Networks

q … can be a big problem for larger systems

§ Example: X-Win from MWN to DFN (Internet access)

• 10 Gigabit Ethernet link
• Connects more than 80.000 systems to the Internet

q Problem

§ Processing of all packets requires a lot of resources § Packet loss will occur if you do not have these resources

18

Packet Selection

q Most applications require only specific packets to be observed q Packet selection

§ Capture only the interesting subset of packets that you can handle

q Packet Filtering

§ Select packets with properties X and Y § Goal: Select “interesting traffic” that helps to identify problems § Example: tcpdump -i eth0 tcp and port 80

• Useful if you are interested in HTTP traffic on port 80

q Packet Sampling

§ Systematic or probabilistic sampling algorithms § Goal: Infer statistics of overall traffic from sampled packets § Example: Select each packet with probability of 10 %

19

Flow-Level Measurements

q Some applications do not require packet-level information q Other information can be more important

§ How much traffic is in my network? § How much UDP traffic is there? § Is there some client that sends a lot of mail traffic?

• E.g. a spammer in my network?

q Answering these questions does not require packet data

§ Instead: It requires information about who communicates with whom

q Solution: Generate and analyze flow data

20

q Flows are often stored for a long time period

§ Used for understanding and visualizing traffic

Using Flow Data

Source: NfSen- Homepage

21

Network Flows

q Definition of a flow

§ Set of packets common properties called flow keys (often IP-quintuple) § Observed at one point in the network (e.g., router interface)

q Measured properties

§ Observation period (timestamp of first and last packet) § Number of bytes and packets belonging to the flow

q Flow record = {(flow keys), (measured properties)}

§ {(Host A, port a, Host B, port b, TCP), (200 packets, 5000 bytes, 11:00, 11:05)}

q Flow duration

§ Start: first packet with new flow key values § End: after timeout or based on signaling (e.g., TCP FIN)

Host A Host B

22

Flow Duration

q Flow expiration after timeout

§ Inactive timeout è maximum gap between two consecutive packets § Active timeout è maximum flow duration since flow start

23

Flow Measurement Deployment

q Flows are typically generated at a network router

§ Analysis does not happen on the router § Instead: Data is transmitted to a flow collecting machine

Internal Network Internet Flow-Collector Flow Data (e.g. encoded in IPFIX)

24

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurements q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

25

Protocols for Transporting Measurement Data

q Motivation

§ Monitoring probes have limited analysis capabilities è transport measurement data to remote traffic analyzer

q IETF protocols

§ Simple Network Management Protocol (SNMP)

• Measurement data stored in Management Information Base (MIB) of the

monitoring probe (e.g., using RMON-MIB)

• Traffic analyzer needs send SNMP GET requests at a regular basis

§ IP Flow Information eXport (IPFIX)

• Push protocol è monitoring device exports data without being queried
• Usage not limited to flow-level measurement data
• Traffic analyzer operates as IPFIX Collector

Network

Monitoring Probe Traffic Analyzer

Measurement Data

26

IPFIX Protocol

q Template based data export

§ Measurement data encoded in Data Records with several fields § Data Record structure specified by Template Record § Data type and semantic of a field defined by Information Element § Field length specified in Template (or in the Data Record itself)

q Protocol description

§ IPFIX Exporter sends Template Record prior to associated Data Records è IPFIX Collector has necessary information to decode Data Records § Unidirectional communication (no return traffic from Collector to Exporter)

Template Id IE ID & Length of Field 1 IE ID & Length of Field N ... Field Count Template Id Field Value 1 Field Value N ... Length Field Value 1 Field Value N ... ... Data Record 1 Data Record 2 Template Record Data Set ·√ Template describes type and semantic of record fields. ·√ Template Id provides the link between Template Record and Data Record.

27

IPFIX Protocol: Example

q Template Record q Associated Data Set with two Data Records

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 256 | Field Count = 3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address (12) | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|destinationTransportPort (11)| Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| observationTimeSeconds (332)| Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.0.2.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 80 | 1276696036 ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | 192.0.2.27 ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | 38893 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1276696037 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

28

Outline

q Why do we need to measure traffic in the Internet? q Active measurement vs. passive measurement q Passive measurement: Packet-level vs. flow-level q Protocols for transporting measurement data q What are you going to do in the Lab?

29

Traffic Measurement Lab

q Scenario q Outline

§ Implement pcap-based sniffer starting from some skeleton code

• programming language is C

§ Extract interesting information from TCP packets § Export resulting data to Vermont using the IPFIX protocol

• IPFIX exporter library is available

§ Use Vermont to receive and analyze the measurement data

Sniffer (IPFIX Exporter) Vermont (IPFIX Collector) Measurement data transmitted with IPFIX protocol

passive traffic monitoring using pcap library display measurement data and search for signatures

30

Traffic Measurement Lab: Learning Targets

q Learn how passive traffic capturing works

§ How applications like tcpdump, Wireshark, and Snort work? § How does flow generation work?

q Get to know the IPFIX protocol q Get familiar with protocol specification in RFCs

§ Get a better understanding of IP, TCP, and higher layer protocol

• By extracting protocol header fields and writing signatures

31

Questions?