There's Plenty of Room at the Bottom

•

6 likes•2,305 views

Benjamin Black

A an overview of network flow collection and an invitation to look at the fast_ip network flow platform.

Technology

There’s Plenty of Room at
the Bottom:
An Invitation to Explore with Network Flows

Benjamin Black
b@fastip.com

You Should Care
Because Visibility Makes
Your Life Easier.

Network Flow Data
Means Great Visibility.

DDoS Detection
Capacity Planning
Trafﬁc Management
Troubleshooting
Correlation
...

[headers]
Protocol

Source IP Address

Destination IP Address

Source Port

Destination Port

[ﬂow keys]
Protocol Protocol

Source IP Address Source IP Address

Destination IP Address

Source Port
= Destination IP Address

Source Port

Destination Port Destination Port

[templates]
template_id 253

protocol

src IPv4 address

dest IPv4 address

src port

dst port

total octets

total packets

start time

end time

[ﬂow records]
template_id 253

TCP

172.16.101.3

192.169.7.200

9801

80

27342 octets

24 packets

start 28349829023

end 28356729023

[metering process]

template_id 253 template_id 253 template_id 253 template_id 253
TCP TCP TCP TCP
172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3
192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200
9801 9801 9801 9801
80 80 80 80
27342 octets 27342 octets 27342 octets 27342 octets
24 packets 24 packets 24 packets 24 packets
start 28349829023 start 28349829023 start 28349829023 start 28349829023
end 28356729023 end 28356729023 end 28356729023 end 28356729023

[collecting process]
template_id 253 template_id 253 template_id 253 template_id 253
TCP TCP TCP TCP
172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3
192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200
9801 9801 9801 9801
80 80 80 80
27342 octets 27342 octets 27342 octets 27342 octets
24 packets 24 packets 24 packets 24 packets
start 28349829023 start 28349829023 start 28349829023 start 28349829023
end 28356729023 end 28356729023 end 28356729023 end 28356729023

template_id 253 template_id 253 template_id 253 template_id 253
TCP TCP TCP TCP
172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3
192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200
9801 9801 9801 9801
80 80 80 80
27342 octets 27342 octets 27342 octets 27342 octets
24 packets 24 packets 24 packets 24 packets
start 28349829023 start 28349829023 start 28349829023 start 28349829023
end 28356729023 end 28356729023 end 28356729023 end 28356729023

template_id 253 template_id 253 template_id 253 template_id 253
TCP TCP TCP TCP
172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3
192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200
9801 9801 9801 9801
80 80 80 80
27342 octets 27342 octets 27342 octets 27342 octets
24 packets 24 packets 24 packets 24 packets
start 28349829023 start 28349829023 start 28349829023 start 28349829023
end 28356729023 end 28356729023 end 28356729023 end 28356729023

Storage and Analysis are
Left as an Exercise
for the Reader

On Network Switches/Routers
[often sampled]

Dedicated Appliances
[expensive/limited storage]

Where is this going?

Where is this coming from?

LOTS of Space Means Storage
Expense or Loss of Resolution or
Truncation

LOTS of (Multi-dimensional)
Data is
Hard to Analyze

Inﬂexible and Limited
or
Expensive and Complicated

[resources]
IPFIX WG
http://datatracker.ietf.org/wg/ipﬁx/charter/
nProbe
http://www.ntop.org/nProbe.html
Cisco NetFlow Collection Engine
http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html
Arbor Networks
http://www.arbornetworks.com/
Dartware
http://www.intermapper.com/products/intermapper-ﬂows

What's hot

Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico

Debugging RubyAman Gupta

Debugging Ruby SystemsEngine Yard

Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)

2020 2ed tcpOsama Ghandour Geris

Pf: the OpenBSD packet filterGiovanni Bechis

Analysis of Compromised Linux Serveranandvaidya

2019 2ed internet addressing , internet addressingOsama Ghandour Geris

ハイパフォーマンスブラウザネットワーキング2Shuya Osaki

Logsaefuddinasep

Incident Response: TunnellingNapier University

SIEMNapier University

Incident response: Advanced Network ForensicsNapier University

Handy Networking Tools and How to Use ThemSneha Inguva

Performance tweaks and tools for Linux (Joe Damato)Ontico

Capital onehadoopclassDoug Chang

XS Boston 2008 Debugging XenThe Linux Foundation

TcpdumpSourav Roy

Tensorflow and python : fault detection system - PyCon Taiwan 2017Eric Ahn

What's hot (19)

Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...

Debugging Ruby

Debugging Ruby Systems

Fail2ban - the system security for green hand -on linux os

2020 2ed tcp

Pf: the OpenBSD packet filter

Analysis of Compromised Linux Server

2019 2ed internet addressing , internet addressing

ハイパフォーマンスブラウザネットワーキング2

Log

Incident Response: Tunnelling

SIEM

Incident response: Advanced Network Forensics

Handy Networking Tools and How to Use Them

Performance tweaks and tools for Linux (Joe Damato)

Capital onehadoopclass

XS Boston 2008 Debugging Xen

Tcpdump

Tensorflow and python : fault detection system - PyCon Taiwan 2017

Viewers also liked

Nanotechnology Vaibhav Maurya

Introduction to Cassandra: Replication and ConsistencyBenjamin Black

14 kode-03-b5-strategi-pembelajaran-dan-pemilihannyaKary Adi

Dynamic Empowerment Webinar #1--The Power of Goalsaltonbaird

Disueña tu profesión. Disueña tu barrio. Disueña tu vidaRafa Cofiño

NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...Akamon Entertainment

Hellen e vitoria musicas ....Vitoria Dos Santos

Get started with dropboxBeverly Solano

Cascalog at May Bay Area Hadoop User Groupnathanmarz

Insight family space, Graham Cadlelocalinsight

Play station 4 camilo q carolinagonzalezcsj

Brighton & Hove budget cuts 2015-16brightonpa

Dr. Bart Cammaerts - The Mediation of DissensusŞebeke:Gençlerin Katılımı Projesi

Reasons for foreign listings by South African junior mining and exploration c...Vicki Shaw

Oficio previc copyLeopoldina Corrêa

A replication study of the top performing systems in SemEval twitter sentimen...Raphael Troncy

Upgrading the CurriculumJanet Hale

Employment support for long term incapacity benefit claimantslocalinsight

Ailanto 2013 independent living community investmentHugo Ribadeneira

eHealthJESSICA NATALI MONJA SANTISTEBAN

Viewers also liked (20)

Nanotechnology

Introduction to Cassandra: Replication and Consistency

14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya

Dynamic Empowerment Webinar #1--The Power of Goals

Disueña tu profesión. Disueña tu barrio. Disueña tu vida

NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...

Hellen e vitoria musicas ....

Get started with dropbox

Cascalog at May Bay Area Hadoop User Group

Insight family space, Graham Cadle

Play station 4 camilo q

Brighton & Hove budget cuts 2015-16

Dr. Bart Cammaerts - The Mediation of Dissensus

Reasons for foreign listings by South African junior mining and exploration c...

Oficio previc copy

A replication study of the top performing systems in SemEval twitter sentimen...

Upgrading the Curriculum

Employment support for long term incapacity benefit claimants

Ailanto 2013 independent living community investment

eHealth

Similar to There's Plenty of Room at the Bottom

Technical Overview of QUICshigeki_ohtsu

Send me your echolocationFastly

Wdt TestLouis liu

Debugging linux issues with eBPFIvan Babrou

RAZORPOINT TCP/UDP PORTS LISTRazorpoint Security

Intro to Packet Analysis - pfSense Hangout May 2014Netgate

ioDrive de benchmarking 2011 1209_zem_distributionMasahito Zembutsu

Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance

TCP-IP PROTOCOLOsama Ghandour Geris

Pycon - Python for ethical hackers Mohammad Reza Kamalifard

5 issuesm0use

SCTP TutorialAlok Kumar Singh ITIL®

Inside WinnypFFRI, Inc.

7. protocolsMarian Marinov

Algosec how to avoid business outages from misconfigured devices finalMaytal Levi

Packet Card Knowledge TransferfinalAbdel-Fattah M. Hmoud

(NET404) Making Every Packet CountAmazon Web Services

Wireshark course, Ch 03: Capture and display filtersYoram Orzach

Day 20.1 configuringframerelayCYBERINTELLIGENTS

Day 20.3 frame relay CYBERINTELLIGENTS

Similar to There's Plenty of Room at the Bottom (20)

Technical Overview of QUIC

Send me your echolocation

Wdt Test

Debugging linux issues with eBPF

RAZORPOINT TCP/UDP PORTS LIST

Intro to Packet Analysis - pfSense Hangout May 2014

ioDrive de benchmarking 2011 1209_zem_distribution

Reverse engineering Swisscom's Centro Grande Modem

TCP-IP PROTOCOL

Pycon - Python for ethical hackers

5 issues

SCTP Tutorial

Inside Winnyp

7. protocols

Algosec how to avoid business outages from misconfigured devices final

Packet Card Knowledge Transferfinal

(NET404) Making Every Packet Count

Wireshark course, Ch 03: Capture and display filters

Day 20.1 configuringframerelay

Day 20.3 frame relay

Recently uploaded

Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda

React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech

Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3

All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough

Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers

Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood

React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma

Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal

Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar

Top 10 Hubspot Development Companies in 2024TopCSSGallery

A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3

A Glance At The Java Performance ToolboxAna-Maria Mihalceanu

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

Recently uploaded (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger

React Native vs Ionic - The Best Mobile App Framework

Long journey of Ruby standard library at RubyConf AU 2024

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx

All These Sophisticated Attacks, Can We Really Detect Them - PDF

Design pattern talk by Kaya Weers - 2024 (v2)

Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...

React JS; all concepts. Contains React Features, JSX, functional & Class comp...

Emixa Mendix Meetup 11 April 2024 about Mendix Native development

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...

Landscape Catalogue 2024 Australia-1.pdf

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes

Top 10 Hubspot Development Companies in 2024

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx

A Glance At The Java Performance Toolbox

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

There's Plenty of Room at the Bottom

1. There’s Plenty of Room at the Bottom: An Invitation to Explore with Network Flows Benjamin Black b@fastip.com

2. What are Flows & Why Should You Care?

3. You Should Care Because Visibility Makes Your Life Easier.

4. Network Flow Data Means Great Visibility.

5. DDoS Detection Capacity Planning Trafﬁc Management Troubleshooting Correlation ...

6. The Nature of Flows

7. [trafﬁc]

8. [streams]

9. [packets] Header Payload

10. [headers] Protocol Source IP Address Destination IP Address Source Port Destination Port

11. [latency]

12. [jitter]

13. [packet loss]

14. The Structure of Flows

15. [ﬂow keys] Protocol Protocol Source IP Address Source IP Address Destination IP Address Source Port = Destination IP Address Source Port Destination Port Destination Port

16. [templates] template_id 253 protocol src IPv4 address dest IPv4 address src port dst port total octets total packets start time end time

17. [ﬂow records] template_id 253 TCP 172.16.101.3 192.169.7.200 9801 80 27342 octets 24 packets start 28349829023 end 28356729023

18. The Ecosystem of Flows

19. [metering process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023

20. [observation domain] eth0 eth1 eth2

21. [collecting process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023

22. Storage and Analysis are Left as an Exercise for the Reader

23. Where Do Meters Run?

24. On Network Switches/Routers [often sampled]

25. Dedicated Appliances [expensive/limited storage]

26. On Hosts [where does the data go?]

27. The Classical View

28.

29. Where is this going?

30. Where is this going? Where is this coming from?

31.

32. The Flow View

33.

34.

35. TANSTAAFL

36. Flow Data Takes Up LOTS of Space

37. [often >1% total trafﬁc]

38. LOTS of Space Means Storage Expense or Loss of Resolution or Truncation

39. LOTS of (Multi-dimensional) Data is Hard to Analyze

40. Inﬂexible and Limited or Expensive and Complicated

41.

42. [apologies]

43. [resources] IPFIX WG http://datatracker.ietf.org/wg/ipﬁx/charter/ nProbe http://www.ntop.org/nProbe.html Cisco NetFlow Collection Engine http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html Arbor Networks http://www.arbornetworks.com/ Dartware http://www.intermapper.com/products/intermapper-ﬂows

44. [ﬁnally...]

45. fast_ip is a platform for ﬂow analytics

46. Sign up for our beta http://fastip.com

There's Plenty of Room at the Bottom

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (20)

Similar to There's Plenty of Room at the Bottom

Similar to There's Plenty of Room at the Bottom (20)

Recently uploaded

Recently uploaded (20)

There's Plenty of Room at the Bottom

Editor's Notes