Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University

Published byAllen Sparks Modified over 9 years ago

Similar presentations

Presentation on theme: "Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University"— Presentation transcript:

1 Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University greg@iu.edu

2 Forest through the trees “Too much information” Abilene generating 5-6,000 flows/second Typically about 270,000-350,000 “active” active flows during the day “Raw” data analysis inadequate Forest through trees

3 SNORT raw log file example [**] [117:1:1] (spp_portscan2) Portscan detected from 207.75.xxx.xxx: 4 targets 21 ports in 28 seconds [**] 10/14-09:50:45.727011 207.75.xxx.xxx:80 -> 149.165.xxx.xxx:49194 TCP TTL:60 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0xD756E195 Ack: 0xDDC23C59 Win: 0x16A0 TcpLen: 40 TCP Options (6) => MSS: 1460 NOP NOP TS: 518109736 2681681736 TCP Options => NOP WS: 0 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload length [**] 10/14-09:51:08.526214 149.165.xxx.xxx:0 -> 149.165.xxx.xxx:0 UDP TTL:128 TOS:0x0 ID:16642 IpLen:20 DgmLen:206 Len: 178 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 10/14-09:52:11.494517 128.109.xxx.xxx -> 149.165.xxx.xxx ICMP TTL:249 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 149.165.xxx.xxx -> 149.168.xxx.xxx ICMP TTL:122 TOS:0x0 ID:2394 IpLen:20 DgmLen:92 ** END OF DUMP [**] [106:4:1] (spp_rpc_decode) Incomplete RPC segment [**] 10/14-09:52:12.345311 64.12.xxx.xxx:5190 -> 149.165.xxx.xxx:32771 TCP TTL:106 TOS:0x0 ID:45414 IpLen:20 DgmLen:98 DF ***AP*** Seq: 0xD9256CFA Ack: 0xC79F78B9 Win: 0x4000 TcpLen: 20 [**] [111:8:1] (spp_stream4) STEALTH ACTIVITY (FIN scan) detection [**] 10/14-13:18:30.235714 66.250.xxx.xxx:25111 -> 149.165.xxx.xxx:13091 TCP TTL:47 TOS:0x0 ID:59791 IpLen:20 DgmLen:52 DF *******F Seq: 0x32BE0760 Ack: 0x0 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 234082903 0

4 Problems with that Visually unattractive “Angry Fruit Salad” Information overload False-positives

5 Forest through the trees Evolution of visualization techniques Text-Based 2D visualization of old text information I.e. ACID interface to SNORT

6 ACID display

7 Ok, getting better. System is doing some aggregating for us. We have some visualization (traffic profile) This is from a real display (Fall Internet2 member’s meeting)

8 ACID display But still showing us the same alerts, the vast majority of which are not actually issues.

9 2D frontends Did much to clean up aggressive “angry fruit salad” of text-only interface Inherent advantage of “eye candy” But still relied on same underlying data Bias towards false-positives

10 Emergence of statistical tools Next step was emergence of so-called statistical tools Idea of establishing a baseline of “normal” activity Detect deviations from “normal” Throw a nice 2D front-end on it

11 ARBOR display

12 Statistical tools Even more aggregation (good) Greatly reduce “false positive” issue over signature tools But the bias is still there What’s more damning, overreporting or underreporting? More good eye candy

13 Problems with statistical tools You have to be able to establish a baseline of “normal” activity Is that even possible in a dynamic environment? Example: Abilene research Land Speed Records Protocol experiments Video over IP Drive the models “nuts.”

14 More problems Still have to map a lot of 2D-information onto a conceptual framework of the network “What are the ingress and egress points?” “Is this sourced, destined, or just transiting the network” Miss low-level activity as “noise” in the network I.e. slow portscans, host scans, etc.

15 Forest through the trees Evolution of visualization techniques Text-Based 2D visualization of old text information I.e. ACID interface to SNORT 3D visualization?

16 gCube Nascent effort to develop a useful 3D modelling capability. Not an original idea (Shakespeare had it first) Saw a similar tool at SC2003 Steve Lau (LBNL) Cube of potential doom BRO project (http://www.icir.org/vern/bro.html) Nevertheless, rooted in tragedy for sure Ongoing development

17 gCube Abilene in Winter

18 What is it? Basic version is 3D view of “flow” activity X/Z axis determined by source/destination IP Y axis determined by port number Usually destination port number

19 Where does it get its input? Three possible inputs: Direct NETFLOW feed Archived NETFLOW (files) PCAP view of local network

20 Looking down on Abilene

21 What are we seeing? Entire IPv4 address space (all 4 billion possible source and destination addresses) Blank areas represent portions of IP space not allocated to Abilene-connected institutions Allocation pattern is interesting 4 “towers” Early remnants of class-A allocations MIT,.gov, etc.

22 Side view of Abilene

23 What structures are visible? Special “floors” 32K port allocation floor 40K port allocation floor Density of port allocations at lower levels An apparent port scan!

24 The low level

25 Visualizing DDoS with gCube Eventual hope is to develop gCube into a DDoS visualization tool Particularly good at detecting Port Scans Host Scans Scans into “abnormal” IP space I.e. Slammer type stuff Rate/bandwidth anomalies

26 Simple case, portscan

27 Simulated Portscan

28 DDoS in the real world

29 What is that? January 14th, 2003, ~2-3PM EST Port scan of a destination address Spoofed source IP addresses Distributed equally through IP space Had been preceded by apparent “experiments” earlier in the day and earlier in the week (Jan 5th) Experiments used only a single or few test ports

30 Experiments

31 Note Attacks to three separate IPs/closely clustered groups of IPs Spoofed source IPs But possibly from as many as three different organizations At least one real source appeared to be suppressing sources from the multicast space

32 Backscatter

33

Download ppt "Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)

Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.

Similar presentations

Ads by Google