ABC Monitoring Solution

Size: px

Start display at page:

Download "ABC Monitoring Solution"

Jonathan Caldwell
5 years ago
Views:

1 ABC Monitoring Solution FRAFOS GmbH FRAFOS GmbH Bismarckstr Berlin Germany This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts of the tenor is subjected to formal agreement of FRAFOS GmbH

1. Introduction The ABC Monitor provides administrators with an aggregated view of user activity based on usage reporting data collected from the ABC SBC/WebRTC gateways.

misconducting users. The reporting data comes from inside of the ABCs.

such as traffic shaping decisions. 2. Network and Software Architecture The ABC Monitor is a centralized system for processing, analyzing and displaying SIP usage information.

2 1. Introduction The ABC Monitor provides administrators with an aggregated view of user activity based on usage reporting data collected from the ABC SBC/WebRTC gateways. This highly interactive, near real- time view can be used for trending, analysis of both short- term and long- term use patterns, troubleshooting, auditing server policies and identifying misconducting users. The reporting data comes from inside of the ABCs. This insider view allows the Monitor administrators to inspect SIP traffic encrypted on the way from and to the ABCs, correlate calls separated by topology hiding, and report internal ABC context such as traffic shaping decisions. 2. Network and Software Architecture The ABC Monitor is a centralized system for processing, analyzing and displaying SIP usage information. The central nature of the system offers consistent visibility to user behaviour regardless of network topology and to which of the monitored ABCs SIP users connect. That s particularly practical when the ABCs scale up and down in cloud deployments and change their roles in redundant active/standby systems, Loss= 13% ABC SBC ABC SBC ABC WebRTC ABC WebRTC Figure 1: ABC Monitor deployment scenario All ABC SBC/WebRTC instances deployed by a FRAFOS customer report multiple types of events to the ABC Monitor. The events describe in detail what is happening to particular formal agreement of FRAFOS GmbH 2

users. The events report on call setup and termination, QoS, authentication failures, completion of call recording, SIP registration, or even some custom- defined conditions.

3 users. The events report on call setup and termination, QoS, authentication failures, completion of call recording, SIP registration, or even some custom- defined conditions. The Monitor collects these events and represents them graphically in several interactive dashboards. The dashboards display the history of events over time, summaries, and details of the respective events. Administrators typically analyze information presented in the dashboards by adding various event filters consecutively until they narrow done the events to those they are interested in. The ABC Monitor is based on the open source ELK solution consisting of: Logstash: Collect and process the log and event information received from the ABC SBC/WebRTC instances Elasticsearch: Enable near real- time search of the collected log and event information Kibana: Display the processed information and provide the user with various data search and processing options. 3. ABC Monitor Feature Description The ABC Monitor offers the administrator several dashboards that provide summaries for different aspects of SIP service operation. Administrators inspect these summaries and narrow down the observed events by adding new event filters. For example, they limit the events to a window of time with over- average traffic, then filter out events with IP address of the most intensive sender, and eventually inspect the sender s call- flows in detail. This usage pattern is shown in the following screenshots. In the first screenshot administrator inspects the Security Dashboard, finds out a time window in which remarkably many SIP messages are dropped, and zooms in his view to this period of time. Figure 2 Screenshot: Narrowing the Time Axis formal agreement of FRAFOS GmbH 3

In the next steps he finds out that a significant part of the offending traffic is coming from a single IP address and narrows down the filter to events reporting on that IP address.

4 In the next steps he finds out that a significant part of the offending traffic is coming from a single IP address and narrows down the filter to events reporting on that IP address. Figure 3: Screenshot: Adding Filters for the Most Often Recurring IP Address Eventually the administrator inspects the related traffic details in Call Flows. The following sub- sections describe specific features of the respective dashboards. 3.1 ABC Monitor Dashboards All of the dashboards have a similar structure like shown in Figure 4. The top part shows occurrence of different event types along time axis and filters that are currently being used. The mid- part shows comprehensible summaries: number of filtered events, break- down by event type, and type- specific summaries. The bottom part includes individual clickable events. Each of the dashboards is specialized on certain types of events. Overview Dashboard displays all events that have been collected by the ABC Monitor. In this dashboard as well as in all others, it is possible to filter the events by type, time and value of their respective fields. The remaining dashboards are specific for certain types of events and provide specific statistic information related to these. Calls Dashboard: Information about the call duration, number of call attempts, successful call establishments and call terminations. The call termination events include information about call- length, type of termination and QoS. A related Top Lists Dashboard provides a list of the most intense sources of both incomplete call attempts and completed calls. formal agreement of FRAFOS GmbH 4

Geographic information is associated with the events so that administrators can obtain insight into

5 Figure 4: Screenshot: Calls Dashboard Registrations Dashboard displays events related to registrations. Geographic information is associated with the events so that administrators can obtain insight into whereabouts of their SIP services users. Figure 5 Registration Dashboard Diagnostics Dashboard provides administrators with a troubleshooting vehicle that gathers formal agreement of FRAFOS GmbH 5

6 detailed information about the SIP traffic processed by the ABCs. That may particularly include captured SIP messages, audio call recordings, and custom alerts. The custom alerts are of great diagnostic value as they allow administrators to observe some specific traffic patterns they find suspicious in detail. For example they can choose to see reports on all calls from SIP users who are not registered. The calls meeting this conditions are then reported in the diagnostics dashboard, the administrator analyzes them and may decide if these are legitimate calls between legitimate peering non- registering PSTN gateways or some non- authenticated SIP service abuse. Security Dashboard analyzes situations when the some ABC instance identifies offending traffic, and chooses to repel it by shaping or entirely dropping it. Which packets to ignore and how the traffic limits are set are defined in the ABC rules. There are two types of events that are displayed in the dashboard when these conditions are reached: the limit event reports on traffic limit violations the drop event reports on SIP requests the ABC chose to ignore. A related Blacklisting Dashboard identifies often- repeating security events so that recidivist offenders may be found more easily. 3.2 Events Details and Filters The events in the bottom part of the dashboards show details of what is happening to a user at an instance of time. Each event includes a timestamp, specification of the event type, and identification of the sender that caused the event to be reported by both IP address and SIP URI. Each event type includes additional specific information: call- stop event bears a QoS report, a recording- completed event includes a reference to an audio WAV file, a message- log event comes with a link to a rendered call- flow. The call- end event example shown in Figure 6 describes who called whom, who terminated the call, length and JSON- formatted quality report for the call. An interesting fact about this example is it refers to details a WebRTC call. Such a call was encrypted using state- of- the art 256- bit- key cipher and its details are normally invisible for anyone snooping on the network. formal agreement of FRAFOS GmbH 6

While the events represent only essential changes in status of a SIP service user, they still come in quantity that makes finding a specific piece of information challenging.

The event in the example was filtered out using criteria shown in Figure 7. Only events of call- end type within past six hours are shown, if the originator has the IP address 94.142.238.

7 While the events represent only essential changes in status of a SIP service user, they still come in quantity that makes finding a specific piece of information challenging. Therefore Monitor administrators can apply certain filters to narrow down the volume of traffic they study. These filters can refer to values of any fields present in the events. The event in the example was filtered out using criteria shown in Figure 7. Only events of call- end type within past six hours are shown, if the originator has the IP address and URI Organizer@conf.frafos.com. Figure 6 Call- end Event Type Example Figure 7Example of an Event Filter 3.3 ABC Monitor Call Sequences To provide the administrator with more detailed diagnostic options, the ABC solutions generate events of the type Message log. Any time a SIP dialog encounters the Log formal agreement of FRAFOS GmbH 7

8 received traffic action in the ABC- SBC rule- base, the dialog traffic begins to be captured, stored in a PCAP file and uploaded to the Monitor eventually. The PCAP file is rendered using a ladder chart which can be accessed through a link in message log events. An example of such a chart is shown in Figure 8. Figure 8 Example of a Call- Flow Ladder Chart formal agreement of FRAFOS GmbH 8

9 4. ABC Monitor Roadmap In order to further expand the capabilities of the ABC Monitor and provide faster efficient anomaly detection FRAFOS is working on the following features: Self- managing capabilities to the Console in order to identify unusual traffic patterns and such as o Traffic flooding (DoS?) o High- cost or lengthy calls (fraud?) o Multiple failed authentication attempts (dictionary attacks?) o Multiple failed transaction completion attempts (scanning?) o Aae bounced by administrator s policies (admin- defined threats) Additional alarming methods (SMS, Mail) Integration with central cluster management Auto- enforcement (alarm/blacklist) when suspicious sources (by IP/URI) exceed certain pre- defined limits. The next monitoring release version is expected Q2 16. formal agreement of FRAFOS GmbH 9

ABC SBC: Secure Peering. FRAFOS GmbH

ABC SBC: Secure Peering. FRAFOS GmbH ABC SBC: Secure Peering FRAFOS GmbH Introduction While an increasing number of operators have already replaced their SS7 based telecommunication core network with a SIP based solution, the interconnection