Network telemetry for DDoS detection presentation
2 likes714 views
The document provides information from Pavel Odintsov about DDoS detection tools, particularly focusing on his open-source tool, FastNetMon. It discusses various telemetry types used for DDoS detection, highlighting benefits and issues associated with protocols like NetFlow and sFlow. Additionally, it covers sampling rate challenges, cloud network analytics limitations, and provides contact information for further inquiries.
Network telemetry for DDoS detection presentation
- 2. Aboutme I’m Pavel Odintsov, the author of open source DDoS detection tool, FastNetMon: https://github.com/pavel-odintsov/fastnetmon Ways to contact me: ● linkedin.com/in/podintsov ● github.com/pavel-odintsov ● twitter.com/odintsov_pavel ● IRC, FreeNode, pavel_odintsov ● pavel.odintsov@gmail.com
- 6. IPFIX, Netflow v5, Netflow v9, Netstream, jFlow, cFlow and many others NetflowBasedProtocols
- 7. NetflowIssues Significantdelay Caused by flow aggregation engine, varies from 3 seconds up to 90 seconds Flow processing engine on many routers has very limited CPU power and constrained by flow table size For effective DDoS detection we need fragmentation flags, TTLs and even part of payload Netflow based protocols use very complex way to encode sampling Lackofdetails SAMPLINGRATEREPORTING Scalabilityissues
- 8. sFlowBenefits Verysmall/nodelay sFlow agents do not implement aggregation and they keep traffic only for very short period of time sFlow does not implement any kind of aggregation and does not need very efficient memory for flow tables Provides such important flags as TTL and fragmentation fields accompanied by first bytes of payload Sampling rate is encoded directly in each packet, packet headers exported as-is without encoding Keeps60+bytesfrompacket Simpleencodingprotocol SmallCPUoverheader
- 9. VendorsDosFlowWrong Only small subset of router vendors offer sFlow support and for few of them it just does not work well LackofsFlowsupport Many vendors limit minimum sampling rate by extremely harsh values (1:16000) which makes reliable attack detection impossible. In many cases due to slow CPU on control plane sFlow agent cannot export all traffic. Many hardware platforms have very limited capacity towards data plane Scalabilityissues Inadequatesamplingrate
- 10. 10 LinuxTrafficCapture DPDK, Netmap, PF_RING, SnabbSwitch Other Available in all Linux distributions (excluding CentOS/RHEL 6) Available since Linux Kernel 4.19. Ubuntu 20.04 and later AF_PACKET AF_XDP
- 12. CloudNetworkAnalytics AmazonVPCFlowlogs Limited by 60 second delay, expensive and complex way to export logs GoogleFlowLogs Limited by UDP and TCP traffic only, expensive and complex way to export logs AzureFlowLogs Excellent visibility with Network Traffic Watcher instrument