large scale geolocation for netflow
play

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin - PowerPoint PPT Presentation

Oct 29, 2022 •37 likes •297 views

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin Rbek Rick Hofstede, Aiko Pras {celeda|velan|xrabek1}@ics.muni.cz, {r.j.hofstede|a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013, Ghent, Belgium Part I Introduction

  1. Large-Scale Geolocation for NetFlow Pavel Čeleda, Petr Velan, Martin Rábek Rick Hofstede, Aiko Pras {celeda|velan|xrabek1}@ics.muni.cz, {r.j.hofstede|a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013, Ghent, Belgium

  2. Part I Introduction Pavel Čeleda Large-Scale Geolocation for NetFlow 2 / 22

  3. Motivation and R&D Goals – I : SURFmap - a Network Monitoring Tool Based on the Google Maps API. Pavel Čeleda Large-Scale Geolocation for NetFlow 3 / 22

  4. Motivation and R&D Goals – II How flow-based geolocation can be performed in a large-scale? exporter-based approach, collector-based approach. How can we benefit from geolocation data in flow records? traffic engineering, traffic profiling, anomaly detection. Pavel Čeleda Large-Scale Geolocation for NetFlow 4 / 22

  5. Part II Architecture Pavel Čeleda Large-Scale Geolocation for NetFlow 5 / 22

  6. Exporter-Based Geolocation Packets NetFlow v9 Input Export Flow cache Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

  7. Exporter-Based Geolocation Packets NetFlow v9 Input Export Flow cache Geolocated Flows flows GeoPlugin Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

  8. Exporter-Based Geolocation Packets NetFlow v9 Input Export Flow cache Geolocated Flows flows GeoPlugin exporter filter plugin for IP address geolocation, NetFlow v9 template mapping – GEO data to AS fields SRC_AS=*SRC_GEO, DST_AS=*DST_GEO , AS mapping → transparent to any flow collector. Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

  9. MaxMind GeoLite Country Database MaxMind GeoLite – free off-line country database, C-API for IPv4/IPv6 geolocation. 16 Standard 14 Memory cache 12 Check cache Queries/s (x 10 6 ) MMAP cache 10 8 6 4 2 0 IPv4 IPv6 : IPv4/IPv6 geolocation database performance. Pavel Čeleda Large-Scale Geolocation for NetFlow 7 / 22

  10. Collector-Based Geolocation Data collection NetFlow nfcapd v5, v9 Geolocation patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

  11. Collector-Based Geolocation Data collection NetFlow nfcapd Storage v5, v9 Geolocation patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

  12. Collector-Based Geolocation Data collection Data processing NetFlow Top-N stats nfcapd Storage nfdump v5, v9 Aggregation Filtering Geolocation Raw data NfSen Web UI (profiles) nfprofile patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

  13. NFDUMP Database Extension #15 – Country Code Flow Record: Flags = 0x06 Unsampled size = 80 first = 1348387461 [2012-09-23 10:04:21] last = 1348387462 [2012-09-23 10:04:22] msec_first = 890 msec_last = 100 src addr = 23.63.79.144 dst addr = 147.251.170.165 src port = 80 dst port = 57046 tcp flags = 0x1a .AP.S. proto = 6 (in)packets = 4 (in)bytes = 936 input = 5 src as = 20940 dst as = 2852 in src mac = 00:0e:38:5e:30:c0 out dst mac = 00:1e:be:8b:26:c0 src ctry = 840 ... ISO 3166-1 country code - US dst ctry = 203 ... ISO 3166-1 country code - CZ Pavel Čeleda Large-Scale Geolocation for NetFlow 9 / 22

  14. NFDUMP Flow Listing a) numeric code – %scc %dcc ������������������������������������������������������������������������ �������� 194.228.29.173:0 ���������� 147.251.48.205:3.13 ����������������� ������� 147.251.210.106:51885 ������� 69.171.227.59:443 ������������������ ��������� 151.40.40.243:15833 ������ 147.251.79.246:49159 ���������������� �������� 157.55.235.165:40040 ������ 147.251.215.10:49464 ���������������� �������� 147.251.170.77:59408 �������� 89.79.20.120:18973 ���������������� b) alpha-2 code – %sccan %dccan ������������������������������������������������������������������������ �������� 194.228.29.173:0 ���������� 147.251.48.205:3.13 ����������������� ������� 147.251.210.106:51885 ������� 69.171.227.59:443 ������������������ ��������� 151.40.40.243:15833 ������ 147.251.79.246:49159 ���������������� �������� 157.55.235.165:40040 ������ 147.251.215.10:49464 ���������������� �������� 147.251.170.77:59408 �������� 89.79.20.120:18973 ���������������� Usage example nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \ -r 2012/09/23/nfcapd.201209231005 \ -o ’fmt:%pr %sap -> %dap %sccan %dccan’ -m -c 20 Pavel Čeleda Large-Scale Geolocation for NetFlow 10 / 22

  15. NFDUMP Geofiltering Geofiltering country filter syntax is similar to other NFDUMP filters syntax : ctry [comp] <num> , country can be compared to a list (red-black tree) of country codes, syntax : ctry in [ <ctrylist> ] , filters are often used for traffic profilling in NfSen. Usage example nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \ -r 2012/09/23/nfcapd.201209232035 -c 5 \ ’src ctry 203 and not dst ctry in [ 203 840 166 ]’ Pavel Čeleda Large-Scale Geolocation for NetFlow 11 / 22

  16. NfSen Geoprofiling : Screenshot of collector-based geolocation prototype. Pavel Čeleda Large-Scale Geolocation for NetFlow 12 / 22

  17. Part III Use Case I – Traffic Profiling Pavel Čeleda Large-Scale Geolocation for NetFlow 13 / 22

  18. Geolocated and Non-geolocated ICMP Traffic – I 150 (1) IN 100 50 Packets/s 0 -50 (2) (3) (4) -100 OUT In Out -150 00:00 02:00 04:00 06:00 08:00 10:00 12:00 : ICMP traffic. Pavel Čeleda Large-Scale Geolocation for NetFlow 14 / 22

  19. Geolocated and Non-geolocated ICMP Traffic – II 150 (1) IN 100 50 Packets/s 0 -50 (2) (3) (4) -100 OUT UA US Other CZ -150 00:00 02:00 04:00 06:00 08:00 10:00 12:00 : Geolocated ICMP traffic. Pavel Čeleda Large-Scale Geolocation for NetFlow 15 / 22

  20. Distribution of HTTPS Traffic over Countries – I 150 IN 100 50 Flows/s 0 -50 -100 -150 OUT US CZ Other -200 : HTTPS flows/s. Pavel Čeleda Large-Scale Geolocation for NetFlow 16 / 22

  21. Part IV Use Case II – Anomaly Detection Pavel Čeleda Large-Scale Geolocation for NetFlow 17 / 22

  22. Bad Neighboring Countries 300 All countries China 250 200 Flows/s 150 100 50 0 00:00 06:00 12:00 18:00 00:00 : Incoming TCP SYN-only flows. Pavel Čeleda Large-Scale Geolocation for NetFlow 18 / 22

  23. UDP DoS Attack 2000 IN 0 -2000 Packets/s -4000 -6000 -8000 -10000 OUT -12000 DNS In/Out US DNS In/Out 18:00 19:00 20:00 21:00 22:00 23:00 00:00 : UDP DoS attack from infected Linux machine. Pavel Čeleda Large-Scale Geolocation for NetFlow 19 / 22

  24. Part V Conclusion Pavel Čeleda Large-Scale Geolocation for NetFlow 20 / 22

  25. Conclusion Summary country-level information in flow data, native geolocation support for NfSen/NFDUMP, pilot geo-prototype deployment at MU – CESNET link. Future Work IPFIX-compliant prototype for exporter-based geolocation, ipfixcol – AS and GEO support implementation, AS + GEO data for traffic profiling and anomaly detection. Pavel Čeleda Large-Scale Geolocation for NetFlow 21 / 22

  26. Thank You For Your Attention! Large-Scale Geolocation for NetFlow P. Čeleda, P. Velan, M. Rábek {celeda|velan|rabek}@ics.muni.cz R. Hofstede, A. Pras {r.j.hofstede|a.pras}@utwente.nl Geolocation Toolset http://www.muni.cz/research/publications/1090804 Pavel Čeleda Large-Scale Geolocation for NetFlow 22 / 22

Recommend

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam Supervisor: Wim Biemolt (SURFnet) February 5, 2018 Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 1 / 24

533 views • 24 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&amp;A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Geolocation Jay Urbain, PhD Credits: http://www.w3schools.com Jpassion.com Dr. Mark

Geolocation Jay Urbain, PhD Credits: http://www.w3schools.com Jpassion.com Dr. Mark

Geolocation Jay Urbain, PhD Credits: http://www.w3schools.com Jpassion.com Dr. Mark Hornick 1 What is Geolocation? Built-in browser functionality that lets you make a web application location-aware Geographic

198 views • 18 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame Yahiaoui Outlook BGP: Border Gateway Protocol Large Scale Simulation: motivations Large Scale BGP Simulation Model Realistic Topologies

550 views • 17 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and

Large-Scale Machine Learning at Twitter 2 Large-Scale Machine Learning at Twitter Jimmy Lin and Alek Kolcz Twitter, Inc. 1 Image source:google.com/images Large-Scale Machine Learning at Twitter Outline Outline Is twitter big data?

582 views • 40 slides
Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented By: Yashar Ganjali Sanaa Taha Bernard Wong University of Waterloo David Lie Outline Introduction IP-to-Location Mapping Geolocation

559 views • 25 slides
Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET)

Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET)

Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET) Network (6NET) Athanassios Liakopoulos (aliako@grnet.gr) Greek Research &amp; Technology Network (GRNET) I I I Global I Pv6 Summit November 2004

638 views • 37 slides
INFRASTRUCTURE 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2

INFRASTRUCTURE 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2

2110414 - Large Scale Computing Systems 1 LARGE SCALE INFRASTRUCTURE 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2 Overview Hardware Virtualization Storage Technology 2110414 - Large Scale Computing

512 views • 29 slides
A large-scale chemical data integration system Gaia Paolini Pfizer Confidential 1 Large-Scale

A large-scale chemical data integration system Gaia Paolini Pfizer Confidential 1 Large-Scale

A large-scale chemical data integration system Gaia Paolini Pfizer Confidential 1 Large-Scale Chemical Data Integration Summary Current situation Business case Aims The design process Functionality Applications

261 views • 25 slides
Very Large Scale Neighborhoods Weighted Matching Neighborhoods Cyclic Exchange Neighborhoods

Very Large Scale Neighborhoods Weighted Matching Neighborhoods Cyclic Exchange Neighborhoods

Outline DM811 HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION 1. Very Large Scale Neighborhoods Variable Depth Search Ejection Chains Lecture 11 Dynasearch Very Large Scale Neighborhoods Weighted Matching Neighborhoods

202 views • 9 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
Cosmic Calibration Katrin Heitmann Statistical Challenges for Large-Scale Structure in the Era of

Cosmic Calibration Katrin Heitmann Statistical Challenges for Large-Scale Structure in the Era of

Cosmic Calibration Katrin Heitmann Statistical Challenges for Large-Scale Structure in the Era of LSST Oxford , April 18, 2018 Cosmological Constraints Large Scale Simulations Cosmic Emulation Cosmic Emulators Large Synoptic Survey Telescope

944 views • 32 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides

More recommend