1 / 28

Network Monitoring System In CSTNET

Network Monitoring System In CSTNET. Long Chun China Science & Technology Network. Agenda. Introduction of Peakflow SP. 1. 1. Basic Traffic Analysis. 2. BGP Analysis Function. 3. Role of Peakflow SP in Security Area. 4. 4. 4. 4. 4. Peakflow SP Platform. Managed Services Device

cora-collier
Download Presentation

Network Monitoring System In CSTNET

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Monitoring System In CSTNET Long Chun China Science & Technology Network

  2. Agenda Introduction of Peakflow SP 1 1 Basic Traffic Analysis 2 BGP Analysis Function 3 Role of Peakflow SP in Security Area 4 4 4 4 4

  3. Peakflow SP Platform Managed Services Device • Customer facing DoS detection and mitigation Converged Platform Device • Infrastructure Security • Traffic and Routing Analysis Infrastructure Security • DoS/worm detection • Traceback • Analysis • Mitigation Traffic and Routing • Routing management • Transit/peering mgmt • Customer accounting • Backbone mgmt

  4. Peakflow Network Appliances Measurement • Collect Netflow, Cflow, Sflow, SNMP and optionally BGP information from network routers/devices • Collector – collect data from routers, baseline traffic, detect anomalies. • Controller –aggregate data from other devices; create a central network-wide view Intel 2U Servers Deployment • Monitor up to 5 routers per Peakflow Device • Up to 15 devices managed by controller Reporting • Reports available on controller through CLI or GUI • Notifications via email, snmp, or syslog

  5. Netflow Peakflow examines NetFlow packets that are generated by the router or switch as traffic is forwarded. The NetFlow is analyzed to benchmark network behavior and identify anomalies.

  6. Topology

  7. Agenda Introduction of Peakflow SP 1 1 Basic Traffic Analysis 2 BGP Analysis Function 3 Role of Peakflow SP in Security Area 4 4 4 4 4

  8. Traffic Analysis • Automatically Configured Analysis Objects: -【Network】 -【Router】 -【Peer】 -【Interface】 No Complex Configuration • Objects Customized by User: -【Customer】 -【Profile】 Flexibly customize objects we need

  9. Traffic Analysis • User define objects: -【Profile】 Include: 1、IP Address(or Block of IP Addresses) 2、AS Path Regular Expressions 3、Local AS/Sub AS 4、BGP community 5、Peer ASN 6、TCP/UDP port 7、 Interface Boolean Operation:AND、OR、NOT We can define analysis objects flexibly: • community '2:20'and not 92.2.1.0/25 • aspath ‘^23849’ and not aspath ‘^23849_9800’ • community ‘2:20’ and aspath ‘^4134’

  10. Traffic Summary

  11. Traffic Analysis Base on TCP/UDP Port (1)

  12. Traffic Analysis Base on TCP/UDP Port(2)

  13. Top Talkers

  14. Agenda Introduction of Peakflow SP 1 1 Basic Traffic Analysis 2 BGP Analysis Function 3 Role of Peakflow SP in Security Area 4 4 4 4 4

  15. Transit Traffic Analysis Object:【Network】【Router】【Peer】【Customer】【Profile】【Interface】 Operation:Network BGP Attribute ASxAS

  16. Traffic Analysis Base on AS

  17. Traffic Analysis Base on AS Path

  18. Peering Evaluation and Visualization

  19. Agenda Introduction of Peakflow SP 1 1 Basic Traffic Analysis 2 BGP Analysis Function 3 Role of Peakflow SP in Security Area 4 4 4 4 4

  20. Peakflow SP Anomaly Reporting • Profiled Anomalies – deviations from normal traffic levels on the network • Misuse Anomalies – Traffic towards specific hosts that exceed what should normally be seen on a network • Fingerprint/Worm Anomalies – Traffic that fits a user specified signature

  21. Detect Attack - Profiled Anomalies • A baseline of normal behavior leveraging flow data available from the routers deployed on the network would be built. • In real-time, the system compares traffic against the baseline. • Detects network-wide anomalies such as DDoS attacks and worm outbreaks in non-intrusive data collection methods.

  22. Detection Classes: Misuse • Detected independently from the established baselines, on a set of known attack signatures. • Traffic of specific types exceeding what should be normal for a network. • Misuse anomalies cover the following types of traffic: • ICMP Anomaly • TCP NULL Flag Anomaly • TCP SYN Flag Anomaly • TCP RST Flag Anomaly • IP NULL (Proto 0) Anomaly • IP Fragmentation Anomaly • IP Private Address Space Anomaly

  23. Misuse Anomalies - Dark IP

  24. Fingerprint/Worm Anomalies(1)

  25. Tracing Anomalies • Automatically trace the source and destination IP/Port, TCP Flag of abnormal traffic. • Distribution of attack traffic by source and destination IP/Port. • Trace the network device that the abnormal traffic pass through.

  26. Prevent/Mitigate Network-wide Anomalies • System can recommend appropriate mitigation measures to mitigate anomalies such as DoS attack and worm outbreaks. • Generate recommended ACLs or rate limit commands. • Blackhole routing • Sinkhole routing

  27. Alert • BGP • BGP Instability • BGP Route Hijacking • Data Source • BGP Down • Flow Down • SNMP Down • DoS Alert • Interface Usage: traffic exceeded configured baseline Use E-mail, SNMP Traps, Syslog etc to notify network administrators.

  28. Thank you !

More Related