Upload
duongkhanh
View
217
Download
0
Embed Size (px)
Citation preview
© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property
and/or AT&T affiliated companies. All other marks are the property of their respective owners.
10 January 2017
FloCon 2017San Diego, CA
Netflow Collection and Analysis at a Tier 1 Internet Peering Point
Fred Stringer
AT&T Chief Security Organization
Systems Engineer/Network Architect
1
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
2
Take Away Messages
IP Flow Record (Netflow) Analysis is effective
Stand-alone without correlation with host logs and events
On unidirectional IP flows
Metering part of a LAG bundle
Scaling Netflow Analysis
Volumetric Anomaly Detection
Edge (at point of collection) and pre-processing
Everything does NOT need to be databased
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
3
Peering
Blue Net
Green Net
Red Net
Route
AdvertisementRA
RA
RA
RA
RA
Peering is a business relationship supported by routing (BGP) policies and procedures creating a network relationship.Can be created at meeting points (public peering) or direct connections (private peering)
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
4
Internet Peering
Blue Net
Green Net
Red Net
Route
AdvertisementRA
RA
RA
RA
RA
Routes Available:
Routes Available:
Routes Available:
Blue Net is a Tier 1Default free
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
5
Tier 1 Internet Peering
Blue Net
Green Net
Red Net
Route
AdvertisementRA
RA
RA
RA
RA
Routes Available:
Routes Available:
Routes Available:
RA
RA
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
6
Asymmetrical Flows Through Peering
Green Net
Blue Net
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
7
Threat Analytics Platform
Remediation coordination
GNOC
Alerts
UDP port 2002 relative to other UDP traffic
2842
17 20
5
2 2
8
1
10
100
1000
10000
9/10 9/11 9/12 9/13 9/14 9/15 9/16
Date
Rela
tive
rank
# flows
# packets
# bytes
Analysis
Platforms
Reporting
Systems
Data Acquisition
TransportStorage, Processing, Analysis
Interpretation & Response Processes
Reporting & Alerting
Forensic Analysis
Edge Analytics
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
8
Netflow Metering and Collection
Meter IPFIX from 5.8 TeraBits per Second of traffic
IPFIX format since 2010
Supports IPv6
Standard Data Elements with overwrite of “ingestinterface” (EID 10)
We overwrite a network-wide unique tag enabling trace back to source of the record alone.
Passive Probes for Threat Detection data rather than the routers
1:1 Sampling – flow records for 100% of the packets
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
9
Automated Analysis Functions
Volumetric Alerting
100% of records collected are processed
Port, protocol, address block anomalies
DDoS Attacks, and other otherwise undetected events
Scan Detection
Source address making many attempts to connect to many destination addresses or ports
Worm propagation (derived from scan detection)
Alarming on rapid increase in the number of sources of a particular scan type (per circuit)
Scan Volume Alarm (derived from scan detection)
Increases in scan probes or scan packets per protocol/port
Botnet Controller Detection (flow-based & DNS records DB)
Reports on suspect bot activity based on correlated flow characteristics
AT&T Proprietary
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
10
Security Analysis AlgorithmsAll components are necessary
Data Selection / Pre-filter Data subset
Details Collection & Characteristics
Interpretation
Response Action
Anomaly Detection Anomalies
Alerts
Prevention or Remediation
Visualizations and Reports
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
11
Threat Analysis Transformation Vision
Data access• Passive Probes - static
Data Generation• Dedicated probes (a probe / 10GE)• Dedicated Appliances
Data Files• “Collector” application, file server on dedicated
servers and storage in SNRC/CO space.
Data Transport• Private IP Network
Data Analysis• Centralized – dedicated data center
Future
Data access• Virtual Probes in Service Network Elements (SNEs)
Data Generation• Virtual Probes in SNEs• NFV Multipoint Probes in SNEs (described later)• All the time, sampled, event driven and on-demand
metadata generation.
Data Files• NFV Collectors in SNEs and VM Collectors
Data Transport• AVPN with Orchestration
Data Analysis• Streaming analytics on edge, data at rest analytics and
chained analysis functions.
Today
With the evolution of the Service Network to Orchestrated NFVs the data collection for threat analysischanges providing new dynamic capabilities.
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
12
Take Away Messages
IP Flow Record (Netflow) Analysis is effective
Stand-alone without correlation with host logs and events
On unidirectional IP flows
Metering part of a LAG bundle
Scaling Netflow Analysis
Volumetric Anomaly Detection
Edge (at point of collection) and pre-processing
Everything does NOT need to be databased
The next generation networks are providing us additional security analysis capabilities AND some new challenges.
Netflow Collection and Analysis at Internet Peering
FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
AT&T ThreatTraqWeekly Cyber Threat Report
http://techchannel.att.com/threattraq
13