Network domain entrypoint/path determination for DDoS attacks

Accepted versio

Flow monitoring in software-defined networks: finding the accuracy/performance tradeoffs

In OpenFlow-based Software-Defined Networks, obtaining flow-level measurements, similar to those provided by NetFlow/IPFIX, is challenging as it requires to install an entry per flow in the flow tables. This approach does not scale well as the number of entries in the flow tables is limited and small. Moreover, labeling the flows with the application that generates the traffic would greatly enrich these reports, as it would provide very valuable information for network performance and security among others. In this paper, we present a scalable flow monitoring solution fully compatible with current off-the-shelf OpenFlow switches. Measurements are maintained in the switches and are asynchronously sent to a SDN controller. Additionally, flows are classified using a combination of DPI and Machine Learning (ML) techniques with special focus on the identification of web and encrypted traffic. For the sake of scalability, we designed two different traffic sampling methods depending on the OpenFlow features available in the switches. We implemented our monitoring solution within OpenDaylight and evaluated it in a testbed with Open vSwitch, using also a number of DPI and ML tools to find the best tradeoff between accuracy and performance. Our experimental results using real-world traffic show that the measurement and classification systems are accurate and the cost to deploy them is significantly reduced.Peer ReviewedPostprint (author's final draft

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches

Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic

A method to determine entry and exit points or paths of DDoS attack traffic flows into and out of network domains is proposed. We observe valid source addresses seen by routers from sampled traffic under non-attack conditions. Under attack conditions, we detect route anomalies by determining which routers have been used for unknown source addresses, to construct the attack paths. We consider deployment issues and show results from simulations to prove the feasibility of our scheme. We then implement our Traceback mechanism in C++ and more realistic experiments are conducted. The experiments show that accurate results, with high traceback speed of a few seconds, are achieved. Compared to existing techniques, our approach is non-intrusive, not requiring any changes to the Internet routers and data packets. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. The victim is also relieved from the traceback task during an attack. The scheme is simple and efficient, allowing for a fast traceback, and scalable due to the distribution of processing workload. © 2009 IEEE.Accepted versio

Monitoring multicast traffic in heterogeneous networks

Estágio realizado no INESC - Porto e orientado pelo Prof. Doutor Ricardo MorlaTese de mestrado integrado. Engenharia Electrotécnica e de Computadores - Major Telecomunicações. Faculdade de Engenharia. Universidade do Porto. 200

Verifiable Network-Performance Measurements

In the current Internet, there is no clean way for affected parties to react to poor forwarding performance: when a domain violates its Service Level Agreement (SLA) with a contractual partner, the partner must resort to ad-hoc probing-based monitoring to determine the existence and extent of the violation. Instead, we propose a new, systematic approach to the problem of forwarding-performance verification. Our mechanism relies on voluntary reporting, allowing each domain to disclose its loss and delay performance to its neighbors; it does not disclose any information regarding the participating domains' topology or routing policies beyond what is already publicly available. Most importantly, it enables verifiable performance measurements, i.e., domains cannot abuse it to significantly exaggerate their performance. Finally, our mechanism is tunable, allowing each participating domain to determine how many resources to devote to it independently (i.e., without any inter-domain coordination), exposing a controllable trade-off between performance-verification quality and resource consumption. Our mechanism comes at the cost of deploying modest functionality at the participating domains' border routers; we show that it requires reasonable processing and memory resources within modern network capabilities.Comment: 14 page

A modular traffic sampling architecture for flexible network measurements

Dissertação de Mestrado (Programa Doutoral em Informática)The massive traffic volumes and the heterogeneity of services in today’s networks urge for flexible, yet simple measurement solutions to assist network management tasks, without impairing network performance. To turn treatable tasks requiring traffic analysis, sampling the traffic has become mandatory, triggering substantial research in the area. In fact, multiple sampling techniques have been proposed to assist network engineering tasks, each one targeting specific measurement goals and traffic scenarios. Despite that, there is still a lack of an encompassing solution able to support the flexible deployment of these techniques in production networks. In this context, this research work proposes a modular traffic sampling architecture able to foster the flexible design and deployment of efficient measurement strategies. The architecture is composed of three layers i.e., management plane, control plane and data plane covering key components to achieve versatile and lightweight measurements in diverse traffic scenarios and measurement activities. The flexibility and modularity in deploying different sampling strategies relies upon a novel taxonomy of sampling techniques, in which, current and emerging techniques are identified regarding their inner characteristics - granularity, selection trigger and selection scheme. Following the proposed taxonomy, a sampling framework prototype has been developed and used as an experimental implementation of the proposed architecture, providing a fair environment to assess and compare sampling techniques under distinct measurement scenarios. Supported by the sampling framework, distinct techniques have been evaluated regarding their performance in balancing the computational burden and the accuracy in supporting traffic workload estimation and flow analysis. The results have demonstrated the relevance and applicability of the proposed architecture, revealing that a modular and configurable approach to sampling is a step forward for improving sampling scope and efficiency.Os grandes volumes de tráfego e a heterogeneidade de serviços nas redes atuais requerem soluções de medição que sejam flexíveis e simples de modo a sustentar as tarefas de gestão de redes sem afetar o desempenho das mesmas. Para tornar tratável as tarefas que exigem análise de tráfego, tornou-se obrigatório recorrer a amostragem do tráfego, motivando uma investigação substancial na área. Como consequência, várias técnicas de amostragem foram propostas para auxiliar as tarefas de engenharia de redes, cada uma orientada a satisfazer objetivos de medição e cenários de tráfego específicos. Apesar disso, ainda não existe uma solução abrangente capaz de suportar a implantação flexível destas técnicas em redes de produção. Neste contexto, este trabalho propõe uma arquitetura modular de amostragem de tráfego capaz de fomentar a concepção flexível e a implementação de estratégias efi- cientes de medição de tráfego. A arquitetura é composta por três camadas, nomeadamente, camada de gestão, camada de controle e camada de dados, cobrindo os principais componentes para alcançar versatilidade e baixo custo computacional em variados cenários de tráfego e atividades de medição. A flexibilidade e modularidade na implementação de diferentes técnicas de amostragem baseia-se numa nova taxonomia, na qual técnicas atuais e emergentes são identificadas de acordo com suas características internas - granularidade, trigger de seleção e esquema de seleção. Seguindo a taxonomia proposta, um protótipo estruturando e agregando as diferentes técnicas de amostragem foi desenvolvido e utilizado na implementação experimental da arquitetura, permitindo avaliar e comparar as técnicas de amostragem em diversos cenários de medição. Suportado pelo protótipo desenvolvido, distintas técnicas foram avaliadas quanto ao seu desempenho em equilibrar a carga computacional e a acurácia na estimação do volume de tráfego e na análise de fluxos. Os resultados demonstraram a relevância e aplicabilidade da arquitetura de amostragem proposta, revelando que uma abordagem modular e configurável constitui um avanço no sentido de melhorar a eficiência na amostragem de tráfego

Building a Standard Measurement Platform

Network management is achieved through a large number of disparate solutions for different technologies and parts of the end-to-end network. Gaining an overall view, and especially predicting the impact on a service user, is difficult. Recently, a number of proprietary platforms have emerged to conduct end-to-end testing from user premises; however, these are limited in scale, interoperability, and the ability to compare like-for-like results. In this article we show that these platforms share similar architectures and can benefit from the standardization of key interfaces, test definitions, information model, and protocols. We take the SamKnows platform as a use case and propose an evolution from its current proprietary protocols to standardized protocols and tests. In particular, we propose to use extensions of the IETF's IPFIX and NETCONF/YANG in the platform. Standardization will allow measurement capabilities to be included on many more network elements and user devices, providing a much more comprehensive view of user experience and enabling problems and performance bottlenecks to be identified and addressed.Publicad