zurich, 14 april 2005 · • are there viruses or worms being spread in the network? • is...
TRANSCRIPT
![Page 1: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/1.jpg)
Sven Ubik, CESNETZurich, 14 April 2005
Lobster project
![Page 2: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/2.jpg)
General purpose of network monitoring:
1. What the network does with user traffic?
2. What is the current state of the network?
3. Is there some problem in the network?
Network monitoring
![Page 3: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/3.jpg)
• How long it takes to transport user data?
• How many packets get lost?
• What is available bandwidth and how it fluctuates?
• Why is my TCP connection slow on this fast network?
• What applications are people using most? (is our academic
network loaded by sharing movies?)
• What is the performance of the DNS system?
• Are there viruses or worms being spread in the network?
• Is somebody doing some computer network attack?
Monitoring questions …
![Page 4: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/4.jpg)
Active monitoring is a probe into the network
• What is travelling next to the probe?
• Is the probe experiencing the same trip as others?
Passive monitoring is a watch
• I can see everything, but what can I analyse from it?
Active vs. passive
![Page 5: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/5.jpg)
• How long it takes to transport user data?
• How many packets get lost?
• What is available bandwidth and how it fluctuates?
• Why is my TCP connection slow on this fast network?
• What applications are people using most? (is our academic
network loaded by sharing movies?)
• What is the performance of the DNS system?
• Are there viruses or worms being spread in the network?
• Is somebody doing some computer network attack?
Active vs. passive
![Page 6: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/6.jpg)
SCAMPI: Scaleable monitoring platform for the Internet
IST project (April 2002 – March 2005)
• to develop programmable monitoring hardware
• to provide platform for easy writing of portablemonitoring applications
Scampi
![Page 7: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/7.jpg)
LOBSTER: Large Scale Monitoring ofBroadband Internet Infrastructure
Specific Support Action (2005-2006)
• Deploy pilot passive monitoringarchitecture
• Add configurable anonymization
• Add support for distributed monitoring
Lobster
![Page 8: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/8.jpg)
Lobster network
![Page 9: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/9.jpg)
• Detection of security attacksintrusion and DoS attacks
• Characterization of traffic using dynamic portsfile sharing, etc.
• Short-timescale bandwidthcontinuous, precise, non-intrusive used/available bw.
• Packet loss ratefor real contracted traffic
• Providing packet trace repositoryfor researchers
Passive applications
![Page 10: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/10.jpg)
SCAMPI architecture
![Page 11: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/11.jpg)
Scampi card, DAG card with coprocessor:
• Header filtering
• Packet sampling
• Time and length statistics
• Payload searching
Possibilities and software support differ in many details
for Scampi card and DAG card
Hardware offloading
![Page 12: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/12.jpg)
• Flow - all packets from one monitoring point with appliedsequence of monitoring functions
• Application - can open multiple flows
• mapid - automatically decides between hardware or softwareimplementation
• One mapid can support multiple applications
Flows and MAPI functions
![Page 13: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/13.jpg)
fd = mapi_create_flow("/dev/scampi/0");
mapi_apply_function(fd, "BPF_FILTER", "src net 192.168.1.0/24");mapi_apply_function(fd, "STR_SEARCH", "virus");fid = mapi_apply_function(fd, "PKT_COUNTER");
mapi_connect(fd);
while(1) {sleep(5);cnt = mapi_read_results(fd, fid, MAPI_REF);printf("Packets with virus: %d\n", *cnt);
}
Example application
![Page 14: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/14.jpg)
BPF_FILTER header filteringPKT_COUNTER packet counterBYTE_COUNTER byte counterSTR_SEARCH payload searchingTO_BUFFER reading packetsSAMPLE packet samplingHASHSAMP hash-based packet samplingTO_FILE storing packet trace to diskETHEREAL ethereal-based filteringHASH packet hash computingCOOKING TCP/IP reassemblyBUCKET divides packets into buckets based on their
timestampsTHRESHOLD signals when a threshold is reached
MAPI functions
![Page 15: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/15.jpg)
DiMAPI – Distributed MAPI
• Scope – a set of remote monitoring sensors
• Flow – can span a scope
• DiMAPI monitoring functions:
a) Can be passed to monitoring sensorse.g., header filtering
b) Can be applied to a scope as the wholee.g., aggregation or distance-based metrics
![Page 16: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/16.jpg)
Required anonymization
![Page 17: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/17.jpg)
mapi_apply_function(fd, “ANONYMIZE”, protocol, field, function, args);
Anonymization options
STRIPHASHEDRANDOMMAPMAP_DISTRIBUTIONPREFIX_PRESERVING
• first tier anonymization (common to all flows, preferably in HW)
• second tier anonymization (flow-specific)
![Page 18: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/18.jpg)
Anonymization, cont
5
![Page 19: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/19.jpg)
Credential example
Authorizer: "RSA:abc123" # Admin’s key Licensees: "RSA:xyz999" # User’s keyConditions: ANONYMIZE == “defined” &&
ANONYMIZE.0.pos == 0 &&ANONYMIZE.0.param.0 == IP &&ANONYMIZE.0.param.1 == SRC_IP &&ANONYMIZE.0.param.2 == PREFIX_PRESERVING &&ANONYMIZE.1.pos == 1 &&ANONYMIZE.1.param.0 == IP &&ANONYMIZE.1.param.1 == DST_IP &&ANONYMIZE.1.param.2 == PREFIX_PRESERVING && ANONYMIZE.2.pos == 0 &&ANONYMIZE.2.param.0 == TCP &&ANONYMIZE.2.param.1 == PAYLOAD &&ANONYMIZE.2.param.2 == STRIP;
Signature: "RSA-SHA1:213344f9"
anonymizesource IP
anonymizedestination IP
removepayload
![Page 20: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/20.jpg)
• Project website http://www.ist-lobster.org
• Subscribe to [email protected]
• Lobster tutorial on RIPE 50 meeting, Stockholm, 6 May 2005
• 1st Lobster workshop on TNC2005, Poznan, 7 June 2005
Thank you for your attention
Lobster resources
![Page 21: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/21.jpg)
![Page 22: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/22.jpg)
Famous worm outbreaks:– Summer 2001: CODE RED worm• Infected 350,000 computers in 24 hours– January 2003: Sapphire/Slammerworm• Infected 75,000 computers in 30 minutes– March 2004: Witty Worm• Infected 20,000 computers in 60 minutes
![Page 23: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/23.jpg)
Interest in cooperation with Lobster
![Page 24: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/24.jpg)
• Research organizations– ICS-FORTH, Greece– Vrije University, The Netherlands– TNO Telecom, The Netherlands
• NRNs/ISPs, associations– CESNET, Czech Republic– UNINETT, Norway– FORTHNET, Greece– TERENA, The Netherlands
• Industrial partners– ALCATEL, France– Endace, UK
Lobster partners
![Page 25: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/25.jpg)
Can we start response BEFORE allcomputers havebeen infected? Yes! But we need:• Smart Internet traffic monitoring sensors– Capable of detecting new worms• Distributed infrastructure ofInternet traffic sensors– More sensitive to attacks– pinpoint attacks as soon as theyemerge– Spread information about newworms fast
![Page 26: Zurich, 14 April 2005 · • Are there viruses or worms being spread in the network? • Is somebody doing some computer network attack? Active vs. passive. SCAMPI: Scaleable monitoring](https://reader033.vdocument.in/reader033/viewer/2022050501/5f93e0e30df68734374cc8a6/html5/thumbnails/26.jpg)
69% of the traffic isunaccounted-for