Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flow Aware Packet Sampling

Published byKelly Owen Modified over 9 years ago

Similar presentations

Presentation on theme: "Flow Aware Packet Sampling"— Presentation transcript:

1 Flow Aware Packet Sampling
[Add Presentation Title: Insert tab > Header & Footer > Notes and Handouts] 4/25/2017 Flow Aware Packet Sampling Ram Krishnan/David Meyer – Brocade Communications Ning So – Tata Communications © 2010 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

2 INTRODUCTION Current Issues Flow Aware Packet Sampling Solution
Uniform packet sampling in networking devices Sample long-lived/short-lived, large/small flows equally Large percentage of samples is large flows (aka top-talkers) Small flows -- typical cause of security threats like Denial of Service (DOS) attacks, Scanning attacks etc. Small percentage of the bandwidth and a large percentage of the flow space Flow Aware Packet Sampling Solution Automatically detect the top-talkers inline & real-time in networking devices Sample only the small flows Security threat detection more effective with minimal sampling overhead Terminology: -- Large flow(s): long-lived large flow(s) -- Small flow(s): long-lived small flow(s) and short-lived small/large flow(s)

3 SOLUTION DETAILS (1) Large Flow Recognition Large Flow Classification
Flow identification - all layer 2/3/4 formats supported by IPFIX Define observation interval and observe the bandwidth of the flow over that interval A flow that exceeds a certain minimum bandwidth threshold over that observation interval would be considered a large flow Suggested technique for automatic recognition Algorithm based on counting bloom filters Large Flow Classification Recognized large flows can be broadly classified into 2 categories as detailed below. Well behaved (steady rate) large flows, e.g. video streams Bursty (fluctuating rate) large flows e.g. Peer-to-Peer traffic

4 SOLUTION DETAILS (2) Small Flow Processing
Recognized large flows can be sampled at low rate if desired Export large flows to a central entity, for e.g. Netflow Collector, using IPFIX protocol Top-talker reporting or further analysis Small Flow Processing Sample small flows (excluding the large flows) at a normal rate using PSAMP protocol. Examine small flows for determining security threats like DOS attacks (for e.g. SYN floods), Scanning attacks etc.

5 NEXT STEPS Adopt as a work item in IPFIX working group – Informational RFC Operator Interest Vendor Interest

6 ADDITIONAL WORK ITEMS Programmable parameters in switches and routers for automatic recognition of large flows Option 1: Open APIs like REST API Option 2: Data models like YANG Address gaps in IPFIX protocol Option 1: Explicit protocol specification e.g. VXLAN, NVGRE Option 2: Virtualization/abstraction layer to central management entity Flexible protocol type, packet offset/byte model interface to switches/routers

Download ppt "Flow Aware Packet Sampling"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.

SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Copyright © sFlow.org. 2004 All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.

Copyright © sFlow.org All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.
1 PSAMP WGIETF, November 2002PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-01.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:

1 PSAMP WGIETF, November 2002PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-01.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:
Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,

Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology

Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.
Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.
52.354 Communications Recap Duncan Smeed. Introduction 1-2 Chapter 1: Introduction Our goal: get “feel” and terminology more depth, detail later in course.

Communications Recap Duncan Smeed. Introduction 1-2 Chapter 1: Introduction Our goal: get “feel” and terminology more depth, detail later in course.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.

NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.
– Chapter 5 – Secure LAN Switching

– Chapter 5 – Secure LAN Switching

Similar presentations

Ads by Google