430 likes | 445 Views
This article explores the use of Cisco data and various tools to enhance network management and identify traffic anomalies. It covers topics such as NetFlow versions, NetFlow toolkit, flow-capture, flow-print, flow-filter, flow-cat, and other useful scripts.
E N D
Enhancing Network Management with Cisco Data Brian Borowski – brianb@uwo.ca Ed Gibson – egibson@uwo.ca
Water’s Hardware • Debian Stable Release 2.4 Kernel • Dual P3 @1Gig CPU’s • 1.5 Gig RAM • Onboard IDE - • (2) 60 Gig IDE on Channel 0 • (1) CDROM on Channel 1 • Promise PD-2067 PCI - IDE Interface Card • (2) 60 Gig IDE on Channel 0 • (2) 60 Gig IDE on Channel 1 • Total of 360 Gig IDE Drive Space
Water’s Partitions • 60 Gig - /, /usr • 60 Gig - /usr1 • 120 Gig (linear) - /nf1 {gate1, gate2, hse} • 120 Gig (linear) - /nf2 {nsc cat, uc cat} • /nf1 & /nf2 maintained at 90% capacity • gate2 - 65 days • hse - 60 days • cat's - 40 days
Version 1 • Source Interface - SNMP Index of input interface • Source IP Address • Destination Interface - SNMP Index of output interface • Destination IP Address • Protocol - IP protocol type • (i.e, ICMP = 1, TCP = 6; UDP = 17) • Source Port - TCP/UDP source port number or equivalent • Destination Port - TCP/UDP destination port number or equivalent • Packets - Packets in the flow • Octets - Total number of Layer 3 bytes in the packets of the flow • Start Time - Unix time • Lifetime - flight time of the flow
Netflow Toolkit • Utilize a netflow "toolkit" available at • http://www.splintered.net/sw/flow-tools/ • We have made some modifications • flow-capture • data collector - receives data from router • one instance per source (unique udp port) • we currently have 7 instances • zip compresses data in 16 blocks (4:1 compression) • one file per hour named rawflow.mm-dd-yyyy.hh • files >2GB required later kernel and current fileutils glibc, bash, ETC. • busy periods ~ 4-5GB/hr • custom -> filename format
flow-print • Decompress and Display Data • Number of output formats • 0 short format • Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets • 1 long format • Sif SrcIPaddress DIF DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl R1 CS MC • 6 custom format • Sif SrcIPaddress DIF DstIPaddress Pr SrcP DstP Pkts Octets start_time lifetime • generally used as a piped filter • cat ~/gate1flows/rawflow.05-14-2004.10 | flow-print -f6 | more • custom -> format type 6 (Unix time format) • custom -> display ports and protocols in decimal
flow-stat • Library of predefined reports • Command Line Parameters of Interest • -P use percents instead of counters • -Sn sort descending on field n • -sn sort ascending on field n • -fn format n
flow-stat(cont’d)) • 0 Overall Summary • 1 Average packet size distribution • 2 Packets per flow distribution • 3 Octets per flow distribution • 4 Bandwidth per flow distribution • 5 UDP/TCP destination port • 6 UDP/TCP source port • 7 UDP/TCP port • 8 Destination IP • 9 Source IP • 10 Source/Destination IP • 11 Source or Destination IP • 12 IP protocol • ……..
flow-filter • Utility to filter traffic • Uses “kludge” of Cisco ACL format to filter IP’s (defaults file flow.acl) • Command parameters links to ACL reference • e.g. more flow.acl ip access-list standard uwoweb permit 129.100.2.71 ip access-list standard cuda permit host 129.100.1.101
flow-filter (cont’d) • $ flow-filter -h Usage: flow-filter [-hko] [-a src_as_filter] [-A dst_as_filter] [-b big|little] [-C comment] [-D dstaddr_filter_name] [-d debug_level] [-f acl_fname] [-i input_filter] [-I output_filter] [-p srcport_filter] [-P dstport_filter] [-r ipprot_filter] [-S srcaddr_filter_name] [-t tos_filter] [-T tcp_flags_filter] [-x nexthop_filter_name] [-z z_level]
Flow-Cat • Facilitates the concatenation of multiple flow files into a single pipe stream. • e.g. flow-cat rawflow.05-14-2004.* | flow-print -f6 | {some utility} • Other tools included in this toolkit but are beyond the scope of this presentation.
flow-filter • clunky & limiting • flatten data with flow-print then process • Unix piping • grep, awk, sort • perl one liners • perl -ne '@a=split(“ “,$_);if(($a[4]==6)&&($a[6]==53)){print $_}'
toolbox of scripts to perform repetitive functions • slice - pull particular time sections out of a particular day • eg. slice gate1 3 11 12 13 • flowcleaver - filter netflow output for a particular value or range in a specified column • eg. … | flow-print –f6 | flowcleaver –sip 129.100.87 | … • l3srcsum - total and index (flow,packet,octet) input stream by IP source • l3destsum - total and index (flow,packet,octet) input stream by IP destination • l4srcsum - total and index (flow,packet,octet) input stream by destination port • l4destsum - total and index (flow,packet,octet) input stream by source port • timefill – convert from Unix time to calendar time
Identify Traffic Anomalies • Top N analysis • By octet • By conversations • By port • Focus analysis on anomalies • Identified by MRTG • Syslog • Netflow • IDP … • Scanner detection & BOTs
Security Incident Verification • Complaint received associated with network activity two weeks ago • Netflow can verify conversation took place • What ports involved (web,smtp,IRC) • Irrefutable second source of transaction verification
Protocol Distribution • Application analysis of network traffic • Percentage of Web Traffic • Locate ftp servers • Tracking BOT communication channels • Virus Infection Detection
Traffic Distribution • What networks/users are hogging the Internet Pipe? • What hosts are seeing significant inbound traffic requests • Are there outside hosts dominating your outbound traffic?
NetFlow Uses Access Distribution Core Distribution Access Network Layer • Attack Mitigation • User (IP) monitoring • Application monitoring • Billing • Chargeback • AS Peer Monitoring • Traffic Engineering • Traffic Analysis • Billing • Chargeback • AS Peer Monitoring • Attack Mitigation • User (IP) monitoring • Application monitoring Applications • Aggregation Schemes (v8) • “show ip cache flow” command • Arbor Networks • NetFlow MPLS Egress Accounting • BGP Next-hop (v9) • Multicast NetFlow (v9) • MPLS Aware NetFlow (v9) • BGP Next-hop (v9) • Sampled NetFlow • NetFlow MPLS Egress Accounting • BGP Next-hop (v9) • Multicast NetFlow (v9) • Aggregation Schemes (v8) • “show ip cache flow” command • Arbor Networks NetFlow Features
Futures • …… • brianb@uwo.ca • egibson@uwo.ca