Network Monitoring System In CSTNET

Long Chun

China Science & Technology Network

2

Agenda

Introduction of Peakflow SP1

Basic Traffic Analysis2

BGP Analysis Function3

4

1

44 Role of Peakflow SP in Security Area4

4

3

Peakflow SP Platform

Infrastructure Security DoS/worm detection Traceback Analysis Mitigation

Infrastructure Security DoS/worm detection Traceback Analysis Mitigation

Traffic and Routing Routing management Transit/peering mgmt Customer accounting Backbone mgmt

Traffic and Routing Routing management Transit/peering mgmt Customer accounting Backbone mgmt

Converged Platform Device Infrastructure Security

Traffic and Routing Analysis

Converged Platform Device Infrastructure Security

Traffic and Routing Analysis

Managed Services Device Customer facing DoS detection and mitigation

Managed Services Device Customer facing DoS detection and mitigation

4

Intel 2U Servers

Peakflow Network Appliances

Measurement Collect Netflow, Cflow, Sflow, SNMP and optionally B

GP information from network routers/devices

Deployment Monitor up to 5 routers per Peakflow Device Up to 15 devices managed by controller

Reporting Reports available on controller through CLI or GUI Notifications via email, snmp, or syslog

Collector – collect data from routers, baseline traffic, detect anomalies.

Controller –aggregate data from other devices; create a central network-wide view

5

Netflow

Peakflow examines NetFlow packets that are generated by the router or switch as traffic is forwarded. The NetFlow is analyzed to benchmark network behavior and identify anomalies.

6

Topology

7

Agenda

Introduction of Peakflow SP1

Basic Traffic Analysis2

BGP Analysis Function3

4

1

44 Role of Peakflow SP in Security Area4

4

8

Traffic Analysis

Automatically Configured Analysis Objects:－【 Network 】－【 Router 】－【 Peer 】－【 Interface 】

No Complex Configuration

Objects Customized by User:－【 Customer 】－【 Profile 】 Flexibly customize objects we need

9

Traffic Analysis User define objects:－【 Profile 】Include ：

1 、 IP Address （ or Block of IP Addresses ）2 、 AS Path Regular Expressions3 、 Local AS/Sub AS4 、 BGP community5 、 Peer ASN6 、 TCP/UDP port

7 、 InterfaceBoolean Operation ： AND 、 OR 、 NOTWe can define analysis objects flexibly:

community '2:20'and not 92.2.1.0/25 aspath ‘^23849’ and not aspath ‘^23849_9800’ community ‘2:20’ and aspath ‘^4134’

10

Traffic Summary

11

Traffic Analysis Base on TCP/UDP Port (1)

12

Traffic Analysis Base on TCP/UDP Port(2)

13

Top Talkers

14

Agenda

Introduction of Peakflow SP1

Basic Traffic Analysis2

BGP Analysis Function3

4

1

44 Role of Peakflow SP in Security Area4

4

15

Transit Traffic

Analysis Object ：【 Network】 【 Router 】【 Peer 】【 Customer 】【 Profile 】【 Interface 】

Operation ： Network BGP Attribute ASxAS

16

Traffic Analysis Base on AS

17

Traffic Analysis Base on AS Path

18

Peering Evaluation and Visualization

19

Agenda

Introduction of Peakflow SP1

Basic Traffic Analysis2

BGP Analysis Function3

4

1

44 Role of Peakflow SP in Security Area4

4

20

Peakflow SP Anomaly Reporting

Profiled Anomalies – deviations from normal traffic levels on the network

Misuse Anomalies – Traffic towards specific hosts that exceed what should normally be seen on a network

Fingerprint/Worm Anomalies – Traffic that fits a user specified signature

21

Detect Attack - Profiled Anomalies

A baseline of normal behavior leveraging flow data available from the routers deployed on the network would be built.

In real-time, the system compares traffic against the baseline.

Detects network-wide anomalies such as DDoS attacks and worm outbreaks in non-intrusive data collection methods.

22

Detection Classes: Misuse Detected independently from the established baselines,

on a set of known attack signatures. Traffic of specific types exceeding what should be

normal for a network. Misuse anomalies cover the following types of traffic:

ICMP Anomaly TCP NULL Flag Anomaly TCP SYN Flag Anomaly TCP RST Flag Anomaly IP NULL (Proto 0) Anomaly IP Fragmentation Anomaly IP Private Address Space Anomaly

23

Misuse Anomalies - Dark IP

24

Fingerprint/Worm Anomalies(1)

25

Tracing Anomalies Automatically trace the source and destination IP/Port,

TCP Flag of abnormal traffic.

Distribution of attack traffic by source and destination IP/Port.

Trace the network device that the abnormal traffic pass through.

26

Prevent/Mitigate Network-wide Anomalies System can recommend appropriate mitigation measure

s to mitigate anomalies such as DoS attack and worm outbreaks. Generate recommended ACLs or rate limit commands. Blackhole routing Sinkhole routing

27

Alert BGP

BGP Instability BGP Route Hijacking

Data Source BGP Down Flow Down SNMP Down

DoS Alert Interface Usage: traffic exceeded configured baseline

Use E-mail, SNMP Traps, Syslog etc to notify network administrators.

Thank you !