Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Published byBenjamin McKay Modified over 11 years ago

Similar presentations

Presentation on theme: "Network Monitoring System In CSTNET Long Chun China Science & Technology Network."— Presentation transcript:

1 Network Monitoring System In CSTNET Long Chun China Science & Technology Network

2 2 Agenda Introduction of Peakflow SP 1 Basic Traffic Analysis 2 BGP Analysis Function 3 4 1 4 4 Role of Peakflow SP in Security Area 4 4

3 3 Peakflow SP Platform Infrastructure Security DoS/worm detection Traceback Analysis Mitigation Infrastructure Security DoS/worm detection Traceback Analysis Mitigation Traffic and Routing Routing management Transit/peering mgmt Customer accounting Backbone mgmt Traffic and Routing Routing management Transit/peering mgmt Customer accounting Backbone mgmt Converged Platform Device Infrastructure Security Traffic and Routing Analysis Converged Platform Device Infrastructure Security Traffic and Routing Analysis Managed Services Device Customer facing DoS detection and mitigation Managed Services Device Customer facing DoS detection and mitigation

4 4 Intel 2U Servers Peakflow Network Appliances Measurement Collect Netflow, Cflow, Sflow, SNMP and optionally BGP information from network routers/devices Deployment Monitor up to 5 routers per Peakflow Device Up to 15 devices managed by controller Reporting Reports available on controller through CLI or GUI Notifications via email, snmp, or syslog Collector – collect data from routers, baseline traffic, detect anomalies. Controller –aggregate data from other devices; create a central network-wide view

5 5 Netflow Peakflow examines NetFlow packets that are generated by the router or switch as traffic is forwarded. The NetFlow is analyzed to benchmark network behavior and identify anomalies.

6 6 Topology

7 7 Agenda Introduction of Peakflow SP 1 Basic Traffic Analysis 2 BGP Analysis Function 3 4 1 4 4 Role of Peakflow SP in Security Area 4 4

8 8 Traffic Analysis Automatically Configured Analysis Objects: Network Router Peer Interface No Complex Configuration Objects Customized by User: Customer Profile Flexibly customize objects we need

9 9 Traffic Analysis User define objects: Profile Include 1 IP Address or Block of IP Addresses 2 AS Path Regular Expressions 3 Local AS/Sub AS 4 BGP community 5 Peer ASN 6 TCP/UDP port 7 Interface Boolean Operation AND OR NOT We can define analysis objects flexibly: community '2:20'and not 92.2.1.0/25 aspath ^23849 and not aspath ^23849_9800 community 2:20 and aspath ^4134

10 10 Traffic Summary

11 11 Traffic Analysis Base on TCP/UDP Port (1)

12 12 Traffic Analysis Base on TCP/UDP Port(2)

13 13 Top Talkers

14 14 Agenda Introduction of Peakflow SP 1 Basic Traffic Analysis 2 BGP Analysis Function 3 4 1 4 4 Role of Peakflow SP in Security Area 4 4

15 15 Transit Traffic Analysis Object Network Router Peer Customer Profile Interface Operation Network BGP Attribute ASxAS

16 16 Traffic Analysis Base on AS

17 17 Traffic Analysis Base on AS Path

18 18 Peering Evaluation and Visualization

19 19 Agenda Introduction of Peakflow SP 1 Basic Traffic Analysis 2 BGP Analysis Function 3 4 1 4 4 Role of Peakflow SP in Security Area 4 4

20 20 Peakflow SP Anomaly Reporting Profiled Anomalies – deviations from normal traffic levels on the network Misuse Anomalies – Traffic towards specific hosts that exceed what should normally be seen on a network Fingerprint/Worm Anomalies – Traffic that fits a user specified signature

21 21 Detect Attack - Profiled Anomalies A baseline of normal behavior leveraging flow data available from the routers deployed on the network would be built. In real-time, the system compares traffic against the baseline. Detects network-wide anomalies such as DDoS attacks and worm outbreaks in non-intrusive data collection methods.

22 22 Detection Classes: Misuse Detected independently from the established baselines, on a set of known attack signatures. Traffic of specific types exceeding what should be normal for a network. Misuse anomalies cover the following types of traffic: ICMP Anomaly TCP NULL Flag Anomaly TCP SYN Flag Anomaly TCP RST Flag Anomaly IP NULL (Proto 0) Anomaly IP Fragmentation Anomaly IP Private Address Space Anomaly

23 23 Misuse Anomalies - Dark IP

24 24 Fingerprint/Worm Anomalies(1)

25 25 Tracing Anomalies Automatically trace the source and destination IP/Port, TCP Flag of abnormal traffic. Distribution of attack traffic by source and destination IP/Port. Trace the network device that the abnormal traffic pass through.

26 26 Prevent/Mitigate Network-wide Anomalies System can recommend appropriate mitigation measures to mitigate anomalies such as DoS attack and worm outbreaks. Generate recommended ACLs or rate limit commands. Blackhole routing Sinkhole routing

27 27 Alert BGP BGP Instability BGP Route Hijacking Data Source BGP Down Flow Down SNMP Down DoS Alert Interface Usage: traffic exceeded configured baseline Use E-mail, SNMP Traps, Syslog etc to notify network administrators.

28 Thank you !

Download ppt "Network Monitoring System In CSTNET Long Chun China Science & Technology Network."

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Improvement of TCP Packet Reassembly in Libnids

Improvement of TCP Packet Reassembly in Libnids
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts 1 - 20.

Addition Facts
Communicating over the Network

Communicating over the Network
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
Chapter 1 Data Communications and NM Overview 1-1 Chapter 1

Chapter 1 Data Communications and NM Overview 1-1 Chapter 1

Similar presentations

Ads by Google