Presentation and Demo: Flow Valuations based on Network-Service Cooperation

Size: px

Start display at page:

Download "Presentation and Demo: Flow Valuations based on Network-Service Cooperation"

Lesley Montgomery
5 years ago
Views:

1 Presentation and Demo: Flow Valuations based on Network-Service Cooperation Tanja Zseby, Thomas Hirsch Competence Center Network Research Fraunhofer Institute FOKUS, Berlin, Germany 1/ , T. Zseby

2 Today: End-to-End Principle Access Network Mechanisms at End Systems Access Network Web-Server No Application Support in Network Router 2/ , T. Zseby

3 Internet Problems Security Threats Immense monetary loss Fast adapting attack patterns Management costs Increasing network size Increasing heterogeneity (technical, administrative) Lack of support for users and applications Quality, security levels, route options, privacy, etc. Reconsider Internet Design Principles 3/ , T. Zseby

4 The Idea of Autonomic Networking Bring decision cycles in network nodes Establish situation awareness Enable decision processes beyond routing Objectives: Support for Applications in the network Flexible levels for quality, security, etc. Self-Management Reduction of human intervention Self-Protection Protection of network and applications 4/ , T. Zseby

5 Decision Cycle Establishing Situation Awareness Essential for Good Decisions Autonomic Computing [IBM]: MAPE Monitor-Analyze-Plan-Execute 5/ , T. Zseby 5of 24

6 Enabler: Node Collaboration Improve Situation Awareness Enforce Joint Strategy Provide Different Viewpoints Learn from Others 6/ , T. Zseby

7 Node Collaboration System (NCS) Nodes that want to collaborate Register with directory Provide location of information they can offer (context provider) Can get location of network information from others (context consumer) register Directory resolve Context Providers get, subscribe notify Context Consumers 7/ , T. Zseby

8 Node Collaboration System Use Analysis Function where available Context Provider CP Web-Server Access Network Reassembly Functions DPI for received Access packets Network CP CC CP Traffic Monitoring Routing Info CP Context Provider Router CC Context Consumer 8/ , T. Zseby

9 Implementation Registration and Resolve HTTP like Protocol Unified Resource Identifier for addressing info Actual Information transfer with different protocols Push (subscribe to CP) or pull (explicitly request info) IP Flow Information Export (IPFIX) Additional support for Invoking new measurements Artificial context providers (situation generation for assessing new decision algorithms) 9/ , T. Zseby J. Tiemann, D. Witaszek: Context Coordination and Dissemination System Architecture and Basic Implementation, FOKUS Technical report TR CCDS-Basics

10 Example: Overload Protection by Flow Valuations Web-Server Access Network Access Network M M Overload Detection: Simple M Router Mitigation: Difficult 10/ , T. Zseby

11 Objectives Protect access links and servers Detect and mitigate overload situations in the Network Mitigate before access or servers are affected Reduce collateral damage Important traffic should be protected Unimportant or malicious traffic can/should be filtered Mitigation as close to the originator as possible Protect core from unwanted traffic Avoid: Providers to decide about importance of traffic (net neutrality) Deep Packet Inspection (high effort) 11/ , T. Zseby

12 Challenge Overload may be originated by Legitimate traffic (Flash Crowds) Abusive DDoS Goal: Reduce traffic to prevent overload Cause may be unknown But: reduce collateral damage Challenge: Which flows should be blocked? 12/ , T. Zseby

13 Conventional Solutions Random Filtering No separation between good and bad packets Problem: High collateral damage (blocking of legitimate users) Intrusion detection systems Attempt to separate good and bad packets by Inspection (DPI) Problem: High Effort in Network Alternative: Network-Service Cooperation Cooperate to establish situation awareness Utilize analysis functions at application level Combine information from multiple cooperative sources Combine preferences to form a joint decision 13/ , T. Zseby

14 Server View Web-Server Access Network M M Overload M Router 14/ , T. Zseby

15 Network View Web-Server Access Network M M M Router 15/ , T. Zseby

16 Approach: Network-Service Cooperation Valuation Matrix Value Flow ad Lo Server Servers - know the value of their user traffic Router Routers - Can detect overload - Can filter before traffic enters access links - But don t know the traffic value 16/ , T. Zseby

17 Normal Operation: Servers provide Valuation Reports -0.5 Web-Server Access +0.2 Network +0.6 Access Network +0.8 M M M Router 17/ , T. Zseby

18 Flow Valuations Assessment of user traffic with simple system Example valuations User logged in with password +0.8 Regular browsing pattern +0.5 Customer completed buying +1.0 Failed login attempt -0.1 Repeatedly loading single site -0.5 Attempt to log into database server -0.9 Value Valuation Matrix Flow 18/ , T. Zseby 18 of 24

19 Normal Operation: Router aggregates Valuations Access +0.2 Network +0.6 Valu ue Valuation Matrix Flow -0.5 Web-Server Access Network +0.8 May propagate Info to Neighbours Router 19/ , T. Zseby

20 Overload Situation: Correlate Information Load Load Blocking Decision based on aggregated valuations 20/ , T. Zseby

21 Good: Collaboration of Nodes Valuation Matrix Valuation Matrix Va alue Value Flow Flow Server Learn about traffic value 21/ , T. Zseby

22 Better: Collaboration of Different Nodes Valuation Matrix Value Load Flow 22/ , T. Zseby

23 Unbeatable: A Heterogeneous Collaborative Team Web- Server Video Sever DNS Router AAA Border Router 23/ , T. Zseby

24 Status and Future Work Node Collaboration System for Flow Valuations Implemented on Cisco AXP routers Using IPIFIX for information transfer Cooperation Incentives (in progress) Incentives to provide information Inter-domain exchange Integration of further sources Information from sophisticated sources (IDS, AAA, ) Worm detection information from enhanced DNS 24/ , T. Zseby

25 Thank You! Contact: 25/ , T. Zseby

Sampling Challenges. Tanja Zseby Competence Center Network Research Fraunhofer Institute FOKUS Berlin. COST TMA September 22, 2008

Sampling Challenges. Tanja Zseby Competence Center Network Research Fraunhofer Institute FOKUS Berlin. COST TMA September 22, 2008 Sampling Challenges Tanja Zseby Competence Center Network Research Fraunhofer Institute FOKUS Berlin Desired Features for Traffic Observation Network-wide: multiple observation points Flexible: change