Embed Size (px)
Citation preview
UNIVERSITY OF TWENTEThe SimpleWeb
CopyrighThese sh
MEASUREMENTS
OVERVIEW:
• WHAT IS BEING MEASURED?
• GOALS
• TECHNIQUES
• TOOLS
t © 2005 by Aiko Praseets may be used for educational purposes
UNIVERSITY OF TWENTEThe SimpleWeb
WHAT IS BEING MEASURED?
DELAY• ONE-WAY
• ROUND-TRIP
DELAY VARIATION• JITTER
THROUGHPUT• AVARAGE
• PEAK• CAPACITY
LOSS
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
INTRUSION DETECTION - INCIDENTS - 1
NUMBER OF REPORTED INCIDENTS
SOURCE: www.cert.org/stats/cert_stats.html
1
10
100
1000
10000
100000
1000000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
INTRUSION DETECTION - INCIDENTS - 2
ATTACK SOPHISTICATION VERSUS INTRUDER’S KNOWLEDGE
SOURCE: D1.4 SCAMPI PROJECT
• WORMS• DDoS ATTACKS
• SPAM• PHISHING
INTRUSION DETECTION - APPROACHES
DETECT BIT PATTERNS• EXAMPLE: PUBLIC, *.EXE
• SNIFFER• SNORT
DETECT PACKET SEQUENCES• SNIFFER / HOST
• HORIZONTAL - VERTICAL (PORT) SCANS• TCP CONNECTION ATTEMPTS
DETECT SUSPICIOUS BEHAVIOUR• HOST
• (DISTRIBUTED) HONEYPOT
ANALYZE LOG FILES• HOST
• MAIL AND WEB LOGS
INTRUSION DETECTION - HONEYPOT
EXAMPLE: UT
BACKGROUND RADIATION
CATEGORIES:
NON-PRODUCTIVE:• MISCONFIGURATIONS
MALICIOUS:• SCANS
• WORMS• BACKSCATTER FROM FLOODING ATTACKS
• DENIAL OF SERVICE (DOS) ATTACKS
BACKGROUND RADIATION
Study by Pang, Yegneswaran, Barford, Paxson & Peterson2004, Lawrence Berkeley National Laboratory (LBL)
Questions:• What protocols
• What ports• How is the variation in time• What are the main worms
Reference: Characteristics of Internet Background Radiation R Pang, V Yegneswaran, P Barford, V Paxson, L Peterson Proc. of the ACM Sigcomm Internet Measurement Conference
Taormina, Sicily, Italy 2004
BACKGROUND RADIATION
Measurement approach:• Measure traffic destined for unused Internet addresses
• Passive filtering to cope with large amounts of data• Active responders to solicit further traffic
Traces from three locations:• University of Wisconsin (UW)
• Lawrence Berkeley National Laboratory (LBL)• Class A network
BACKGROUND RADIATION
WHAT PROTOCOLS?
11.3%16.53.8%45.20.8%0.156UDP
0.3%0.37639.6%4884.2%4.00ICMP
88.5%13056.5%66495.0%928TCP
%Rate%Rate%Rate
Class ALBL-PUW-1Protocol
11.3%16.53.8%45.20.8%0.156UDP
0.3%0.37639.6%4884.2%4.00ICMP
88.5%13056.5%66495.0%928TCP
%Rate%Rate%Rate
Class ALBL-PUW-1Protocol
BACKGROUND RADIATION
WHAT PORTS?
5.8%4.3%102530.4%19.1%1357.3%28.7%8019.7%43.4%445
3.2%2.7%31272.4%2.2%6129
11.1%3.2%1393.6%3.2%2745
# Packets (%)# Source IP (%) TCP Port
5.8%4.3%102530.4%19.1%1357.3%28.7%8019.7%43.4%445
3.2%2.7%31272.4%2.2%6129
11.1%3.2%1393.6%3.2%2745
# Packets (%)# Source IP (%) TCP Port
BACKGROUND RADIATION
HOW IS THE VARIATION OVER TIME?(PER PROTOCOL)
BACKGROUND RADIATION
HOW IS THE VARIATION OVER TIME?(PER ATTACK)
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
LAWFULL INTERCEPTION
RECENT PROPOSALS IN US & EUROPE
NOVEMBER 2004, COUNCIL OF THE EU:
(a) Data necessary to trace and identify the source of a communication which includes personaldetails, contact information and information identifying services subscribed to.
(b) Data necessary to identify the routing and destination of a communication.
(c) Data necessary to identify the time and date and duration of a communication.
(d) Data necessary to identify the telecommunication.
(e) Data necessary to identify the communication device or what purports to be the device.
(f) Data necessary to identify the location at the start and throughout the duration of thecommunication.
SOURCE: http://register.consilium.eu.int/pdf/en/04/st14/st14190.en04.pdf
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
TRAFFIC ENGINEERING
MODELLING OF NETWORK TRAFFIC
POISSON ARRIVAL PROCESS
GAUSSIAN TRAFFIC MODELS
SELF-SIMILARITY / LONG RANGE DEPENDANCE
HEAVY TAIL DISTRIBUTION
TRAFFIC ENGINEERING - SELF SIMILARITY
SOURCE: Traffic Characterisation for Telecommunication NetworksAttila Vidács, Zsolt Kenesi, Ákos Rétfalvi, Péter Pozsgai, Sándor Molnár - BUTE, Budapest, 1999
Time
Time
Time
Time
1800 sec
180 sec
18 sec
1.8 sec
0
0
0
0
0
0
0
0
400
50
1
3000
(e)
(f)
(g)
(h)
TRAFFIC ENGINEERING - SELF SIMILARITY
SOURCE: Traffic Characterisation for Telecommunication NetworksAttila Vidács, Zsolt Kenesi, Ákos Rétfalvi, Péter Pozsgai, Sándor Molnár - BUTE, Budapest, 1999
1800 sec
Time
Time
Time
Time
180 sec
18 sec
1.8 sec
0
0
0
0
0
0
0
0
(a)
(b)
(c)
(d)
400
50
1
3000
Time
Time
Time
Time
1800 sec
180 sec
18 sec
1.8 sec
0
0
0
0
0
0
0
0
400
50
1
3000
(e)
(f)
(g)
(h)
TRAFFIC ENGINEERING - SELF SIMILARITY
SOURCE: On the self-similar nature of Ethernet traffic (extended version)WE Leland, MS Taqqu, W Willinger, DV Wilson - IEEE/ACM Transactions on Networking, 1994
0 100 200 300 400 500 600 700 800 900 1000
0
20000
40000
60000
(a)Time Unit = 100 Seconds
Pack
ets/
Tim
e U
nit
0 100 200 300 400 500 600 700 800 900 1000
0
2000
4000
6000
(b)Time Unit = 10 Seconds
Pack
ets/
Tim
e Un
it
0 100 200 300 400 500 600 700 800 900 1000
0
200
400
600
800
(c)Time Unit = 1 Second
Pack
ets/
Tim
e Un
it
0 100 200 300 400 500 600 700 800 900 1000
0
20
40
60
80
100
(d)Time Unit = 0.1 Second
Pack
ets/
Tim
e Un
it
(e)Time Unit = 0.01 Second
Pack
ets/
Tim
e Un
it
0 100 200 300 400 500 600 700 800 900 1000
0
5
10
15
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
NETWORK DIMENSIONING
CAPACITY OF LINKS
5 MIN. MRTG - 1 SECOND
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
ACCOUNTING
RADIUS
STOP:• CURRENT TIME• SESSION TIME• INPUT OCTETS
• OUTPUT OCTETS• INPUT PACKETS
• OUTPUT PACKETS• DISCONNECT REASON
GOALS OF MEASUREMENTS
INTRUSION DETECTION
LAWFULL INTERCEPTION
TRAFFIC ENGINEERING
NETWORK DIMENSIONING
ACCOUNTING
NETWORK TOMOGRAPHY
NETWORK TOMOGRAPHY
EXAMPLE: GEO-LOCATION OF INTERNET HOSTS
SOURCE: Constraint-Based Geolocation of Internet Hosts - B Gueye, A Ziviani, M Crovella, S FdidaProc. of the ACM Sigcomm Internet Measurement Conference, 2004
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 100 200 300 400 500 600
Cum
ulat
ive
Pro
babi
lity
Error Distance (km)
CBGGeoPing
BANDWIDTH ESTIMATION
Narrow link
interval
BANDWIDTH ESTIMATION
Narrow link
interval
Delay x
TECHNIQUES
ACTIVE MEASUREMENTS• PING
• TRACEROUTE• TCP/IP HEADER OPTIONS
• RIPE / SURVEYOR
PASSIVE MEASUREMENTS• PACKET CAPTURING
• TCPDUMP / NETFLOW / NETRAMET• MIBs
PACKET SAMPLING• TRAJECTORY SAMPLING
EXAMPLE: MEASUREMENT CARDS
EXAMPLE: TCPDUMP
CAN BE USED TO CAPTURE NETWORK TRAFFIC
NOT ONLY TCP
MANY CAPTURE OPTIONS AND FILTERS
MANY DISPLAY OPTIONS
PACKET CAPTURE (PCAP) LIBRARY
EXAMPLE: WIRESHARK
EXAMPLE: NETFLOW
• CISCO• IETF-IPFIX
FLOW:• SOURCE IP ADDRESS
• DESTINATION IP ADDRESS• SOURCE PORT NUMBER
• DESTINATION PORT NUMBER• LAYER 3 PROTOCOL TYPE
• TOS BYTE• INPUT LOGICAL INTERFACE (IFINDEX)
EXAMPLE: NETFLOW
SOURCE: http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
EXAMPLE: NETFLOW
EXAMPLE: NETFLOW V9 (1)
SOURCE: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063
IP HEADER
UDP HEADER
NETFLOW HEADER
TEMPLATE FLOWSET
DATA FLOWSET
DATA FLOWSET
...
VERSION COUNT
SYSTEM UPTIME
UNIX SECONDS
PACKAGE SEQUENCE
SOURCE ID
TEMPLATE FLOWSET
DATA FLOWSET
DATA FLOWSET
...
FLOWSET ID
LENGTH
TEMPLATE
TEMPLATE ID
FIELD COUNT
FIELD TYPE
FIELD LENGTH
FIELD TYPE
FIELD LENGTH
...
...
FIELD TYPE
FIELD LENGTH
EXAMPLE: NETFLOW V9 (2)
SOURCE: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063
IP HEADER
UDP HEADER
NETFLOW HEADER
TEMPLATE FLOWSET
DATA FLOWSET
DATA FLOWSET
...
TEMPLATE FLOWSET
DATA FLOWSET
DATA FLOWSET
...
FLOWSET ID
LENGTH
RECORDS
RECORD 1 - FIELD 1
RECORD 1 - FIELD 2
...
RECORD 1 - FIELD N
RECORD 2 - FIELD 1
RECORD 2 - FIELD 2
...
RECORD 2 - FIELD N
...
PADDING
EXAMPLE: NETFLOW V9 (3)
SOURCE: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063
