working with flow data in an academic environment in the
play

Working With Flow Data in an Academic Environment in the DDoSVax - PowerPoint PPT Presentation

Sep 17, 2023 •440 likes •674 views

Working With Flow Data in an Academic Environment in the DDoSVax Project at ETH Zuerich Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich) Outline 1. Academic users

  1. Working With Flow Data in an Academic Environment in the DDoSVax Project at ETH Zuerich Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich)

  2. Outline 1. Academic users 2. Context: The DDoSVax project 3. Data collection and processing infrastructure 4. Software / Tools 5. Technical lessons learned 6. Other lessons learned Note: Also see my FloCon 2004 slides at http://www.tik.ee.ethz.ch/~ddosvax/ or Google("ddosvax") Arno Wagner, ETH Zurich, FloCon 2005 – p.1

  3. Academic Users PhD Researchers Students doing Semester-, (Diploma-) and Master-Theses (Almost) no forensic work Users will write their own tools ⇒ Support is needed to make them productive fast: Software: Libraries, example tools, templates Initial explanations Advice and some supervision Arno Wagner, ETH Zurich, FloCon 2005 – p.2

  4. The DDoSVax Project http://www.tik.ee.ethz.ch/~ddosvax/ Collaboration between SWITCH (www.switch.ch, AS559) and ETH Zurich (www.ethz.ch) Aim (long-term): Near real-time analysis and countermeasures for DDoS-Attacks and Internet Worms Start: Begin of 2003 Funded by SWITCH and the Swiss National Science Foundation Arno Wagner, ETH Zurich, FloCon 2005 – p.3

  5. DDoSVax Data Source: SWITCH The Swiss Academic And Research Network .ch Registrar Links most Swiss Universities Connected to CERN Carried around 5% of all Swiss Internet traffic in 2003 Around 60.000.000 flows/hour Around 300GB traffic/hour Arno Wagner, ETH Zurich, FloCon 2005 – p.4

  6. The SWITCH Network Arno Wagner, ETH Zurich, FloCon 2005 – p.5

  7. SWITCH Peerings Arno Wagner, ETH Zurich, FloCon 2005 – p.6

  8. SWITCH Traffic Map Arno Wagner, ETH Zurich, FloCon 2005 – p.7

  9. NetFlow Data Usage at SWITCH Accounting Network load monitoring SWITCH-CERT, forensics DDoSVax (with ETH Zurich) Transport: Over the normal network Arno Wagner, ETH Zurich, FloCon 2005 – p.8

  10. Collaboration Experience DDoSVax inspired SWITCH to crate their own short-term NetFlow archive for forensics Quite friendly and competent exchange with the (small, open minded) SWITCH technical and security staff. SWITCH may want to use our archive in the future as well Main issue with SWITCH: Privacy concerns Arno Wagner, ETH Zurich, FloCon 2005 – p.9

  11. Network Dynamics No topological changes with regard to flow collection so far. Collection quality got better due to better hardware (routers). IP space (AS559) was a bit enlarged in the last year. Arno Wagner, ETH Zurich, FloCon 2005 – p.10

  12. Collection Data Flow ETHZ SWITCH DDoSVax Project Infrastructure 2 * 400kB/s 2 * 400kB/s ezmp1 ezmp2 aw3 jabba 4 files/h UDP data UDP data 4 files/h compressed FE FE GbE GbE 55GB 600GB HDD HDD Dual−PIII Athlon XP Sun E3000 with 1.4GHz 2200+ GbE IBM 3494 tape robot SWITCH ’’Scylla’’ accounting Cluster Arno Wagner, ETH Zurich, FloCon 2005 – p.11

  13. NetFlow Capturing One Perl-script per stream Data in one hour files Critical: (Linux) socket buffers: Default: 64kB/128kB max. Maximal possible: 16MB We use 2MB (app-configured) 32 bit Linux: May scale up to 5MB/s per stream Arno Wagner, ETH Zurich, FloCon 2005 – p.12

  14. Capturing Redundancy Worker / Supervisor (both demons) Super-Supervisor (cron job) For restart on reboot or supervisor crash Space for 10-15 hours of data on collector No hardware redundancy Arno Wagner, ETH Zurich, FloCon 2005 – p.13

  15. Long-Term Storage Unsampled flow-data since March 2003 Bzip2 compressed raw NetFlow V5 in one-hour files We need most data-fields and precise timestamps We don’t know what to throw away We have the archive space Causes us to be CPU bound (usually) ⇒ Makes software writing a lot easier! Arno Wagner, ETH Zurich, FloCon 2005 – p.14

  16. Computing Infrastructure The ”Scylla” Cluster Servers: aw3: Athlon XP 2200+, 600GB RAID5, GbE does flow compression and transfer aw4: Dual Athlon MP 2800+, 3TB RAID5, GbE aw5: Athlon XP 2800+, 400GB RAID5, GbE Nodes: 22 * Athlon XP 2800+, 1GB RAM, 200GB HDD, GbE Total cost (est.): 35 000 USD + 3 MM Arno Wagner, ETH Zurich, FloCon 2005 – p.15

  17. Software Basic NetFlow libraries (parsing, time handling, transparent decompression, . . . ) Small tools (conversion to text, statistics, packet flow replay, . . . ) Iterator templates: Provide means to step through one or more raw data files one a record-by-record basis Support libraries: Containers, IP table, PRNG, etc. All in c (gcc), commandline only. Most written by me. Partially specific to SWITCH data. Arno Wagner, ETH Zurich, FloCon 2005 – p.16

  18. Lessons Learned (Technical) Software: KISS is certainly valid. Unix-tool philosophy works well. Human-readable formats and Perl or Python are very useful for prototyping and understanding. Add information headers (commandline, etc.) to output formats (also binary)! Take care on monitoring the capturing system. Keep a measurement log! Arno Wagner, ETH Zurich, FloCon 2005 – p.17

  19. Lessons Learned (Technical) Hardware/OS: Needed much more processing power and disks storage than anticipated ⇒ Plan for infrastructure growth! Get good quality hardware. Arno Wagner, ETH Zurich, FloCon 2005 – p.18

  20. Lessons Learned (Technical) Capturing and storage: Bit-errors do happen! We use bzip2 -1 on 1 hour files (about 3:1) Observed: 4 bit errors in compressed data/year 1 year ∼ 5 TB compressed ⇒ 1 error / 1 . 2 ∗ 10 12 Bytes bzip2 -1 ⇒ loss of about 100kB per error Unproblematic to cut defect part Note: gzip, lzop, ... will loose all data after the error Source of errors: RAM, busses, (CPU), (disk), (Network) Arno Wagner, ETH Zurich, FloCon 2005 – p.19

  21. Lessons Learned (Technical) Processing: Bit Errors do happen! Scylla-Cluster used OpenMosix ⇒ Process migration and load balancing Observed problem: Frequent data corruption. Source: A single weak bit in 44 RAM modules Diag-time with memtest86: > 3 days! Process migration made it vastly more difficult to find! No problems with disks, CPUs, network, tapes. Some problems with a 66MHz PCI-X bus on a server. Arno Wagner, ETH Zurich, FloCon 2005 – p.20

  22. Lessons Learned (Users) Students need to understand what they are doing. Human-readable and scriptable output helps a lot! Clean sample code is essential. Tell students what technical skills are expected clearly before they commit to a thesis. Make sure students code cleanly and that they understand algorithmic aspects. Arno Wagner, ETH Zurich, FloCon 2005 – p.21

  23. Thank You! Arno Wagner, ETH Zurich, FloCon 2005 – p.22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Engineering with the Engineering with the Environment Environment working with the environment

Engineering with the Engineering with the Environment Environment working with the environment

Engineering with the Engineering with the Environment Environment working with the environment to working with the environment to improve access improve access Mike James, Peter ONeill and David Salter Access and the poor Access and the

949 views • 27 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow St d ti d d t fl Direct vs. indirect flow

957 views • 92 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.18k views • 92 slides
UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN

UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN

UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN Environment Program I show and tell data stories. Census microdata 1950-2015 91 million rows The Guardian I make data tangible and relatable .

846 views • 43 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous Data Flow (SDF) graphs refer to systems where the number of tokens consumed and produced per actor firing is fixed and constant The term synchronous

734 views • 17 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
weeks Philip Rodrigues Data flow working group meeting 5 June 2019 1 Aims Demonstrate

weeks Philip Rodrigues Data flow working group meeting 5 June 2019 1 Aims Demonstrate

Self-trigger plans for DAQ weeks Philip Rodrigues Data flow working group meeting 5 June 2019 1 Aims Demonstrate something we can reasonably call a TPC self - trigger Prototype components of the FD DAQ design Measure resource

542 views • 10 slides
Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why Consider Data Flow? Control Flow: Statement and branch coverage criteria are weak. Condition coverage and path coverage are more costly and

831 views • 20 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware is parallel while software is sequential We need concurrent high-level models to allow designers to describe systems that are independent of

574 views • 12 slides
Introd u ction : Working With Web Data in R W OR K IN G W ITH W E B DATA IN R Oli v er Ke y

Introd u ction : Working With Web Data in R W OR K IN G W ITH W E B DATA IN R Oli v er Ke y

Introd u ction : Working With Web Data in R W OR K IN G W ITH W E B DATA IN R Oli v er Ke y es & Charlo e Wickham Instr u ctors Working w ith Web Data in R Do w nloading les and u sing speciali z ed packages to get data from w eb

554 views • 16 slides
Working Together on Data Science Data-Driven Discovery Initiative @ Moore Foundation Chris

Working Together on Data Science Data-Driven Discovery Initiative @ Moore Foundation Chris

Working Together on Data Science Data-Driven Discovery Initiative @ Moore Foundation Chris Mentzel, Program Director Who We Are Science Patient Care Environment Bay Area Marine Data-Driven TMT EPiQS Microbes Discovery Practices

348 views • 12 slides
Flow Data Analysis in SWITCH / ETH Zurich Project DDoSVax Arno Wagner wagner@tik.ee.ethz.ch

Flow Data Analysis in SWITCH / ETH Zurich Project DDoSVax Arno Wagner wagner@tik.ee.ethz.ch

Flow Data Analysis in SWITCH / ETH Zurich Project DDoSVax Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich) Talk Outline The Dataset Flow Data Usage by SWITCH

625 views • 13 slides
Board of Directors Meeting Thursday, March 7, 2019 2:00 p.m. Slide 1 I. Welcome & Roll

Board of Directors Meeting Thursday, March 7, 2019 2:00 p.m. Slide 1 I. Welcome & Roll

Board of Directors Meeting Thursday, March 7, 2019 2:00 p.m. Slide 1 I. Welcome & Roll Call Board of Directors 2 CLEAN POWER ALLIANCE II. General Public Comment Board of Directors 3 CLEAN POWER ALLIANCE III. Consent Agenda Board

483 views • 34 slides
The National Academy's Approach to The National Academy's Approach to Medium and Heavy Duty Truck

The National Academy's Approach to The National Academy's Approach to Medium and Heavy Duty Truck

The National Academy's Approach to The National Academy's Approach to Medium and Heavy Duty Truck Fuel Medium and Heavy Duty Truck Fuel Consumption Consumption Presented to Focus for the Future Automotive Research Conferences by John

529 views • 22 slides
Restoring Hima Ecosystem Functions through Combacting the Problems of Water Resources Management

Restoring Hima Ecosystem Functions through Combacting the Problems of Water Resources Management

Restoring Hima Ecosystem Functions through Combacting the Problems of Water Resources Management in the Hima- IBAs of Lebanon Presented by :Dalia Al-jawhary Outline Overview about SPNL Hima Approach&Hima Anjar- Kfar Zabad Anjar

457 views • 33 slides
THE Based on Workshop 15 January2019 Arthur ten Wolde, Circular Economy Expert Ecopreneur.eu

THE Based on Workshop 15 January2019 Arthur ten Wolde, Circular Economy Expert Ecopreneur.eu

THE Based on Workshop 15 January2019 Arthur ten Wolde, Circular Economy Expert Ecopreneur.eu & MVO Nederland Arno Kunert, Director Business Development WeSustain GmbH About Ecopreneur: the political voice of green SMEs in Brussels Over

540 views • 12 slides
Joint ECDC-EFSA-EMA report on consumption of antimicrobials and antimicrobial resistance in

Joint ECDC-EFSA-EMA report on consumption of antimicrobials and antimicrobial resistance in

Joint ECDC-EFSA-EMA report on consumption of antimicrobials and antimicrobial resistance in animals, food and humans (JIACRA) ESVAC stakeholders meeting 2014 Jordi Torren, Kari Grave, Arno Muller, David Mackay, Christina Greko, Gerard Moulin

273 views • 12 slides
Deanonymisation in Ethereum Using Existing Methods for Bitcoin Robin Klusman Tim Dijkhuizen

Deanonymisation in Ethereum Using Existing Methods for Bitcoin Robin Klusman Tim Dijkhuizen

Deanonymisation in Ethereum Using Existing Methods for Bitcoin Robin Klusman Tim Dijkhuizen Supervisor: Arno Bakker RP1 #61 06-02-2018 Introduction Blockchain Decentralised Peer-to-peer Miners Anonymous reputation

547 views • 23 slides
HELCOM ZEN QAI Period : 2011-2013 Proposed by : Z ooplankton E xpert N etwork Chair/Contracting

HELCOM ZEN QAI Period : 2011-2013 Proposed by : Z ooplankton E xpert N etwork Chair/Contracting

HELCOM MONAS 14/2011 Q uality A ssurance and I ntegration of Zooplankton Monitoring in the Baltic Sea HELCOM ZEN QAI Period : 2011-2013 Proposed by : Z ooplankton E xpert N etwork Chair/Contracting party : Elena Gorokhova, Sweden Importance of

228 views • 12 slides

More recommend