Large-Scale Geolocation for NetFlow

Transcription

1 Large-Scale Geolocation for NetFlow Pavel Čeleda, Petr Velan, Martin Rábek Rick Hofstede, Aiko Pras {celeda velan {r.j.hofstede IFIP/IEEE IM 2013, May 2013, Ghent, Belgium

2 Part I Introduction Pavel Čeleda Large-Scale Geolocation for NetFlow 2 / 22

3 Motivation and R&D Goals I : SURFmap - a Network Monitoring Tool Based on the Google Maps API. Pavel Čeleda Large-Scale Geolocation for NetFlow 3 / 22

4 Motivation and R&D Goals II How flow-based geolocation can be performed in a large-scale? exporter-based approach, collector-based approach. How can we benefit from geolocation data in flow records? traffic engineering, traffic profiling, anomaly detection. Pavel Čeleda Large-Scale Geolocation for NetFlow 4 / 22

5 Part II Architecture Pavel Čeleda Large-Scale Geolocation for NetFlow 5 / 22

6 Exporter-Based Geolocation Packets Input Flow cache Export NetFlow v9 Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

7 Exporter-Based Geolocation Packets Input Flow cache Export NetFlow v9 Flows Geolocated flows GeoPlugin Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

8 Exporter-Based Geolocation Packets Input Flow cache Export NetFlow v9 Flows Geolocated flows GeoPlugin exporter filter plugin for IP address geolocation, NetFlow v9 template mapping GEO data to AS fields SRC_AS=*SRC_GEO, DST_AS=*DST_GEO, AS mapping transparent to any flow collector. Pavel Čeleda Large-Scale Geolocation for NetFlow 6 / 22

9 MaxMind GeoLite Country Database MaxMind GeoLite free off-line country database, C-API for IPv4/IPv6 geolocation. Queries/s (x 10 6 ) Standard Memory cache Check cache MMAP cache 2 0 IPv4 IPv6 : IPv4/IPv6 geolocation database performance. Pavel Čeleda Large-Scale Geolocation for NetFlow 7 / 22

10 Collector-Based Geolocation Data collection NetFlow nfcapd v5, v9 Geolocation patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

11 Collector-Based Geolocation Data collection NetFlow nfcapd Storage v5, v9 Geolocation patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

12 Collector-Based Geolocation Data collection NetFlow nfcapd Storage v5, v9 Geolocation Data processing Top-N stats nfdump Aggregation Filtering Raw data nfprofile NfSen Web UI (profiles) patch for NFDUMP and NfSen toolset, native geolocation support for any NetFlow v5/v9, IPFIX data. Pavel Čeleda Large-Scale Geolocation for NetFlow 8 / 22

13 NFDUMP Database Extension #15 Country Code Flow Record: Flags = 0x06 Unsampled size = 80 first = [ :04:21] last = [ :04:22] msec_first = 890 msec_last = 100 src addr = dst addr = src port = 80 dst port = tcp flags = 0x1a.AP.S. proto = 6 (in)packets = 4 (in)bytes = 936 input = 5 src as = dst as = 2852 in src mac = 00:0e:38:5e:30:c0 out dst mac = 00:1e:be:8b:26:c0 src ctry = ISO country code - US dst ctry = ISO country code - CZ Pavel Čeleda Large-Scale Geolocation for NetFlow 9 / 22

14 NFDUMP Flow Listing a) numeric code %scc %dcc : : : : : : : : : :18973 b) alpha-2 code %sccan %dccan : : : : : : : : : :18973 Usage example nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \ -r 2012/09/23/nfcapd \ -o fmt:%pr %sap -> %dap %sccan %dccan -m -c 20 Pavel Čeleda Large-Scale Geolocation for NetFlow 10 / 22

15 NFDUMP Geofiltering Geofiltering country filter syntax is similar to other NFDUMP filters syntax : ctry [comp] <num>, country can be compared to a list (red-black tree) of country codes, syntax : ctry in [ <ctrylist> ], filters are often used for traffic profilling in NfSen. Usage example nfdump -M /data/nfsen/profiles-data/live/p3000:p3001 \ -r 2012/09/23/nfcapd c 5 \ src ctry 203 and not dst ctry in [ ] Pavel Čeleda Large-Scale Geolocation for NetFlow 11 / 22

16 NfSen Geoprofiling : Screenshot of collector-based geolocation prototype. Pavel Čeleda Large-Scale Geolocation for NetFlow 12 / 22

17 Part III Use Case I Traffic Profiling Pavel Čeleda Large-Scale Geolocation for NetFlow 13 / 22

18 Geolocated and Non-geolocated ICMP Traffic I 150 (1) IN 100 Packets/s (2) (3) (4) In Out OUT :00 02:00 04:00 06:00 08:00 10:00 12:00 : ICMP traffic. Pavel Čeleda Large-Scale Geolocation for NetFlow 14 / 22

19 Geolocated and Non-geolocated ICMP Traffic II 150 (1) IN 100 Packets/s (2) (3) (4) UA US Other CZ OUT :00 02:00 04:00 06:00 08:00 10:00 12:00 : Geolocated ICMP traffic. Pavel Čeleda Large-Scale Geolocation for NetFlow 15 / 22

20 Distribution of HTTPS Traffic over Countries I 150 IN Flows/s US CZ Other OUT : HTTPS flows/s. Pavel Čeleda Large-Scale Geolocation for NetFlow 16 / 22

21 Part IV Use Case II Anomaly Detection Pavel Čeleda Large-Scale Geolocation for NetFlow 17 / 22

22 Bad Neighboring Countries All countries China 200 Flows/s :00 06:00 12:00 18:00 00:00 : Incoming TCP SYN-only flows. Pavel Čeleda Large-Scale Geolocation for NetFlow 18 / 22

23 UDP DoS Attack IN Packets/s DNS In/Out US DNS In/Out OUT 18:00 19:00 20:00 21:00 22:00 23:00 00:00 : UDP DoS attack from infected Linux machine. Pavel Čeleda Large-Scale Geolocation for NetFlow 19 / 22

24 Part V Conclusion Pavel Čeleda Large-Scale Geolocation for NetFlow 20 / 22

25 Conclusion Summary country-level information in flow data, native geolocation support for NfSen/NFDUMP, pilot geo-prototype deployment at MU CESNET link. Future Work IPFIX-compliant prototype for exporter-based geolocation, ipfixcol AS and GEO support implementation, AS + GEO data for traffic profiling and anomaly detection. Pavel Čeleda Large-Scale Geolocation for NetFlow 21 / 22

26 Thank You For Your Attention! Large-Scale Geolocation for NetFlow P. Čeleda, P. Velan, M. Rábek {celeda velan R. Hofstede, A. Pras {r.j.hofstede Geolocation Toolset Pavel Čeleda Large-Scale Geolocation for NetFlow 22 / 22