NETFLOW analysis infrastructure at Indiana University

1. NETFLOW analysis infrastructure at Indiana University Gregory Travis Advanced Network Management Lab (ANML) Indiana University greg@iu.edu

2. What do we do? • Research • Build new DDoS/IDS systems • Learn what’s going on • Operational • Support REN-ISAC • Report upstream

3. Abilene NOC presented with an opportunity to partner with Asta Network and Arbor Networks via Internet2 Distributed Denial of Service (DDoS) detection equipment first installed at Indianapolis core node in 2000 DDoS detection equipment showed *many* DDoS incidents traversing Abilene each day Determined that this was a potential opportunity to provide more focus on security for the research and education network space ANML - Network Security

4. Indiana University leveraged the security services provided to Abilene, along with the existing Policy and Security arms of the the Office of the Vice President for Information Technology, into a proposal to perform the function of the Research and Education Information Sharing and Analysis Center (REN-ISAC) February 21st 2003, Indiana University signed an agreement with the National Infrastructure Protection Center to provide the REN-ISAC function Doug Pearson is the director of the REN-ISAC (www.ren-isac.edu) ANML - Network Security

5. What’s an ISAC/REN-ISAC? • ISACs (Information Sharing and Analysis centers) are cooperations of private and public entities within Department of Homeland Security • The REN-ISAC Supports U.S. higher education and research communities by providing advanced network security services • Also supports efforts to protect the national cyber infrastructure

6. ANML I2 DDoS Monitoring • Multiple Systems monitoring NETFLOW data looking for indications of attack. • Arbor Networks • Internal exploratory tools • Snort • Systems feed output into central event database

7. What we do with the data • Input into tools for effective exploratory data analysis for NETFLOW data: • Ad-hoc (I.e. flowtools) • Relational (Postgres) • Third Party/Commercial (Arbor) • Hybrids

8. Hybrid Project • Provide an SQL like query language with a data storage system that is optimized for the storage and analysis of NETFLOW. • SQL databases have great expressing capability but are slow in this type of task. • Flowtools is faster but the expression language is a bit obtuse.

9. Collection infrastructure I2 Routers Indianapolis Gigapop Flow Collectors (Arbor/ANML/etc.) ANML Bloomington

10. How much data? • Anonymized I2 NETFLOW repository. • Short term SQL DB. • 3 month cache of data • ~1 Terabyte of storage. • ~7000 records per second • ~600 million per Day • Large seasonal variations

11. DDoS Summary Reporting

12. A typical day of DDoS • Typical daily totals: • High alerts: 6 • Medium alerts: 6 • Low alerts: 43 • Severity is related to how far we exceed administrative thresholds

13. Worm tracking

14. Two types of data • We’ve been talking about anomaly tracking via NETFLOW but should also make mention of signature-based systems • Both methods have their strengths and weaknesses • Typically you will need to do both

15. NETFLOW • Very useful for monitoring high-volume networks • Doesn’t have wiretapping implications that signature-matching does • Data is already aggregated/depersonalized • But you can’t “see the data” which is good and bad • Sometimes difficult to know if an attack a real or just a data anomaly • Blaster example

16. Signature matching • Actually looking at the data on the wire to look for specific DDoS/worm/etc. “signatures” • VERY compute intensive • Not practical “at wire speed” • Typically deployed on a per-LAN basis

17. “Warscoping” • ANML developing location services for wireless devices • Number of instances where it’s important to be able to physically locate wireless devices • “911” services • Troubleshooting • Locating nefarious actors

18. Other techniques we use • Honeypots • Tripwire • SEBEK • Warscoping • Geolocation

19. Warscope display

20. Sebek Analysis