31 research outputs found
Flow monitoring in software-defined networks: finding the accuracy/performance tradeoffs
In OpenFlow-based Software-Defined Networks, obtaining flow-level measurements, similar to those provided by NetFlow/IPFIX, is challenging as it requires to install an entry per flow in the flow tables. This approach does not scale well as the number of entries in the flow tables is limited and small. Moreover, labeling the flows with the application that generates the traffic would greatly enrich these reports, as it would provide very valuable information for network performance and security among others. In this paper, we present a scalable flow monitoring solution fully compatible with current off-the-shelf OpenFlow switches. Measurements are maintained in the switches and are asynchronously sent to a SDN controller. Additionally, flows are classified using a combination of DPI and Machine Learning (ML) techniques with special focus on the identification of web and encrypted traffic. For the sake of scalability, we designed two different traffic sampling methods depending on the OpenFlow features available in the switches. We implemented our monitoring solution within OpenDaylight and evaluated it in a testbed with Open vSwitch, using also a number of DPI and ML tools to find the best tradeoff between accuracy and performance. Our experimental results using real-world traffic show that the measurement and classification systems are accurate and the cost to deploy them is significantly reduced.Peer ReviewedPostprint (author's final draft
Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX
Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches
Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic
A method to determine entry and exit points or paths of DDoS attack traffic flows into and out of network domains is proposed. We observe valid source addresses seen by routers from sampled traffic under non-attack conditions. Under attack conditions, we detect route anomalies by determining which routers have been used for unknown source addresses, to construct the attack paths. We consider deployment issues and show results from simulations to prove the feasibility of our scheme. We then implement our Traceback mechanism in C++ and more realistic experiments are conducted. The experiments show that accurate results, with high traceback speed of a few seconds, are achieved. Compared to existing techniques, our approach is non-intrusive, not requiring any changes to the Internet routers and data packets. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. The victim is also relieved from the traceback task during an attack. The scheme is simple and efficient, allowing for a fast traceback, and scalable due to the distribution of processing workload. © 2009 IEEE.Accepted versio
Monitoring multicast traffic in heterogeneous networks
Estágio realizado no INESC - Porto e orientado pelo Prof. Doutor Ricardo MorlaTese de mestrado integrado. Engenharia Electrotécnica e de Computadores - Major Telecomunicações. Faculdade de Engenharia. Universidade do Porto. 200
Verifiable Network-Performance Measurements
In the current Internet, there is no clean way for affected parties to react
to poor forwarding performance: when a domain violates its Service Level
Agreement (SLA) with a contractual partner, the partner must resort to ad-hoc
probing-based monitoring to determine the existence and extent of the
violation. Instead, we propose a new, systematic approach to the problem of
forwarding-performance verification. Our mechanism relies on voluntary
reporting, allowing each domain to disclose its loss and delay performance to
its neighbors; it does not disclose any information regarding the participating
domains' topology or routing policies beyond what is already publicly
available. Most importantly, it enables verifiable performance measurements,
i.e., domains cannot abuse it to significantly exaggerate their performance.
Finally, our mechanism is tunable, allowing each participating domain to
determine how many resources to devote to it independently (i.e., without any
inter-domain coordination), exposing a controllable trade-off between
performance-verification quality and resource consumption. Our mechanism comes
at the cost of deploying modest functionality at the participating domains'
border routers; we show that it requires reasonable processing and memory
resources within modern network capabilities.Comment: 14 page
A modular traffic sampling architecture for flexible network measurements
Dissertação de Mestrado (Programa Doutoral em Informática)The massive traffic volumes and the heterogeneity of services in today’s networks urge
for flexible, yet simple measurement solutions to assist network management tasks, without
impairing network performance. To turn treatable tasks requiring traffic analysis,
sampling the traffic has become mandatory, triggering substantial research in the area.
In fact, multiple sampling techniques have been proposed to assist network engineering
tasks, each one targeting specific measurement goals and traffic scenarios. Despite that,
there is still a lack of an encompassing solution able to support the flexible deployment
of these techniques in production networks.
In this context, this research work proposes a modular traffic sampling architecture
able to foster the flexible design and deployment of efficient measurement strategies.
The architecture is composed of three layers i.e., management plane, control plane and
data plane covering key components to achieve versatile and lightweight measurements
in diverse traffic scenarios and measurement activities. The flexibility and modularity
in deploying different sampling strategies relies upon a novel taxonomy of sampling
techniques, in which, current and emerging techniques are identified regarding their
inner characteristics - granularity, selection trigger and selection scheme.
Following the proposed taxonomy, a sampling framework prototype has been developed
and used as an experimental implementation of the proposed architecture,
providing a fair environment to assess and compare sampling techniques under distinct
measurement scenarios. Supported by the sampling framework, distinct techniques have
been evaluated regarding their performance in balancing the computational burden and
the accuracy in supporting traffic workload estimation and flow analysis. The results
have demonstrated the relevance and applicability of the proposed architecture, revealing
that a modular and configurable approach to sampling is a step forward for
improving sampling scope and efficiency.Os grandes volumes de tráfego e a heterogeneidade de serviços nas redes atuais
requerem soluções de medição que sejam flexÃveis e simples de modo a sustentar as
tarefas de gestão de redes sem afetar o desempenho das mesmas. Para tornar tratável
as tarefas que exigem análise de tráfego, tornou-se obrigatório recorrer a amostragem
do tráfego, motivando uma investigação substancial na área. Como consequência, várias
técnicas de amostragem foram propostas para auxiliar as tarefas de engenharia de redes,
cada uma orientada a satisfazer objetivos de medição e cenários de tráfego especÃficos.
Apesar disso, ainda não existe uma solução abrangente capaz de suportar a implantação
flexÃvel destas técnicas em redes de produção.
Neste contexto, este trabalho propõe uma arquitetura modular de amostragem de
tráfego capaz de fomentar a concepção flexÃvel e a implementação de estratégias efi-
cientes de medição de tráfego. A arquitetura é composta por três camadas, nomeadamente,
camada de gestão, camada de controle e camada de dados, cobrindo os principais
componentes para alcançar versatilidade e baixo custo computacional em variados
cenários de tráfego e atividades de medição. A flexibilidade e modularidade na implementação
de diferentes técnicas de amostragem baseia-se numa nova taxonomia, na
qual técnicas atuais e emergentes são identificadas de acordo com suas caracterÃsticas
internas - granularidade, trigger de seleção e esquema de seleção.
Seguindo a taxonomia proposta, um protótipo estruturando e agregando as diferentes
técnicas de amostragem foi desenvolvido e utilizado na implementação experimental
da arquitetura, permitindo avaliar e comparar as técnicas de amostragem em
diversos cenários de medição. Suportado pelo protótipo desenvolvido, distintas técnicas
foram avaliadas quanto ao seu desempenho em equilibrar a carga computacional
e a acurácia na estimação do volume de tráfego e na análise de fluxos. Os resultados
demonstraram a relevância e aplicabilidade da arquitetura de amostragem proposta,
revelando que uma abordagem modular e configurável constitui um avanço no sentido
de melhorar a eficiência na amostragem de tráfego
Building a Standard Measurement Platform
Network management is achieved through a large number of disparate solutions for different technologies and parts of the end-to-end network. Gaining an overall view, and especially predicting the impact on a service user, is difficult. Recently, a number of proprietary platforms have emerged to conduct end-to-end testing from user premises; however, these are limited in scale, interoperability, and the ability to compare like-for-like results. In this article we show that these platforms share similar architectures and can benefit from the standardization of key interfaces, test definitions, information model, and protocols. We take the SamKnows platform as a use case and propose an evolution from its current proprietary protocols to standardized protocols and tests. In particular, we propose to use extensions of the IETF's IPFIX and NETCONF/YANG in the platform. Standardization will allow measurement capabilities to be included on many more network elements and user devices, providing a much more comprehensive view of user experience and enabling problems and performance bottlenecks to be identified and addressed.Publicad