Netflow Collection and Analysis at an Internet ... -...

© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property

and/or AT&T affiliated companies. All other marks are the property of their respective owners.

10 January 2017

FloCon 2017San Diego, CA

Netflow Collection and Analysis at a Tier 1 Internet Peering Point

Fred Stringer

AT&T Chief Security Organization

Systems Engineer/Network Architect

1

Netflow Collection and Analysis at Internet Peering

FMS 12/19/2016© 2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.

2

Take Away Messages

IP Flow Record (Netflow) Analysis is effective

Stand-alone without correlation with host logs and events

On unidirectional IP flows

Metering part of a LAG bundle

Scaling Netflow Analysis

Volumetric Anomaly Detection

Edge (at point of collection) and pre-processing

Everything does NOT need to be databased



3

Peering

Blue Net

Green Net

Red Net

Route

AdvertisementRA

RA

RA

RA

RA

Peering is a business relationship supported by routing (BGP) policies and procedures creating a network relationship.Can be created at meeting points (public peering) or direct connections (private peering)



4

Internet Peering

Blue Net

Green Net

Red Net

Route

AdvertisementRA

RA

RA

RA

RA

Routes Available:

Routes Available:

Routes Available:

Blue Net is a Tier 1Default free



5

Tier 1 Internet Peering

Blue Net

Green Net

Red Net

Route

AdvertisementRA

RA

RA

RA

RA

Routes Available:

Routes Available:

Routes Available:

RA

RA



6

Asymmetrical Flows Through Peering

Green Net

Blue Net



7

Threat Analytics Platform

Remediation coordination

GNOC

Alerts

UDP port 2002 relative to other UDP traffic

2842

17 20

5

2 2

8

1

10

100

1000

10000

9/10 9/11 9/12 9/13 9/14 9/15 9/16

Date

Rela

tive

rank

# flows

# packets

# bytes

Analysis

Platforms

Reporting

Systems

Data Acquisition

TransportStorage, Processing, Analysis

Interpretation & Response Processes

Reporting & Alerting

Forensic Analysis

Edge Analytics



8

Netflow Metering and Collection

Meter IPFIX from 5.8 TeraBits per Second of traffic

IPFIX format since 2010

Supports IPv6

Standard Data Elements with overwrite of “ingestinterface” (EID 10)

We overwrite a network-wide unique tag enabling trace back to source of the record alone.

Passive Probes for Threat Detection data rather than the routers

1:1 Sampling – flow records for 100% of the packets



9

Automated Analysis Functions

Volumetric Alerting

100% of records collected are processed

Port, protocol, address block anomalies

DDoS Attacks, and other otherwise undetected events

Scan Detection

Source address making many attempts to connect to many destination addresses or ports

Worm propagation (derived from scan detection)

Alarming on rapid increase in the number of sources of a particular scan type (per circuit)

Scan Volume Alarm (derived from scan detection)

Increases in scan probes or scan packets per protocol/port

Botnet Controller Detection (flow-based & DNS records DB)

Reports on suspect bot activity based on correlated flow characteristics

AT&T Proprietary



10

Security Analysis AlgorithmsAll components are necessary

Data Selection / Pre-filter Data subset

Details Collection & Characteristics

Interpretation

Response Action

Anomaly Detection Anomalies

Alerts

Prevention or Remediation

Visualizations and Reports



11

Threat Analysis Transformation Vision

Data access• Passive Probes - static

Data Generation• Dedicated probes (a probe / 10GE)• Dedicated Appliances

Data Files• “Collector” application, file server on dedicated

servers and storage in SNRC/CO space.

Data Transport• Private IP Network

Data Analysis• Centralized – dedicated data center

Future

Data access• Virtual Probes in Service Network Elements (SNEs)

Data Generation• Virtual Probes in SNEs• NFV Multipoint Probes in SNEs (described later)• All the time, sampled, event driven and on-demand

metadata generation.

Data Files• NFV Collectors in SNEs and VM Collectors

Data Transport• AVPN with Orchestration

Data Analysis• Streaming analytics on edge, data at rest analytics and

chained analysis functions.

Today

With the evolution of the Service Network to Orchestrated NFVs the data collection for threat analysischanges providing new dynamic capabilities.



12

Take Away Messages

IP Flow Record (Netflow) Analysis is effective

Stand-alone without correlation with host logs and events

On unidirectional IP flows

Metering part of a LAG bundle

Scaling Netflow Analysis

Volumetric Anomaly Detection

Edge (at point of collection) and pre-processing

Everything does NOT need to be databased

The next generation networks are providing us additional security analysis capabilities AND some new challenges.



AT&T ThreatTraqWeekly Cyber Threat Report

http://techchannel.att.com/threattraq

13

Netflow Collection and Analysis at an Internet ... -...

Documents

Transcript of Netflow Collection and Analysis at an Internet ... -...