SlideShare a Scribd company logo

Kentik Detect Engine - Network Field Day 2017

G
gvillain

Dan Ellis (CTO@Kentik) presents and discusses the technology and platform behind Kentik Detect Engine. Links to the video of the presentation: https://kentik.com/nfd14

1 of 27
Download to read offline
Kentik Data Engine Dan Ellis CTO
KDE Quick Stats (kentik detect engine) NetFlow in the Cloud • 125+ Billion Flows/Day stored • 1,000,000+ FPS • 50 “Large” Queries/s, thousands of sub-qps • 75+ TB flow data stored/day (25+ compressed) SNMP, BGP, network performance too!
KDE High-Level • KDE is a hybrid system: ○ Fusing / Ingest Layer ○ Distributed column store db / query engine ○ Realtime stream processing for anomaly detection • We evaluated various existing engines: ES, Hadoop, Cassandra, Storm, Spark, SILK, Druid, Kafka.... • Couldn’t find performance, multi-tenancy, and network savvy so we wrote our own...
Ingest & Fusion layer Storage layer (flow specific) Query layer Each layer has separate and different scaling characteristics Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ KDE architecture
Ingest architecture
KDE Architecture BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C
KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTPS) kFlow (HTTPS) proxy proxy proxy client C client C client C BGP VIP NetFlow (UDP) relay VIP + Relay • One IP bound to multiple servers • Sharded by Source-IP • Validate Sender as Kentik Customer • Pass flow on (raw UDP socket) to correct proxy • Relay handles load balancing (Kentik specific, UDP+TCP) relay
Proxy BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay kFlow (HTTP) client C client C client C kFlow (HTTP) • Inspect flow & determine type: V5, V9, IPFIX, SFlow, KFlow • Need to resample? • Configured Sample Rate • Launch Client Process for each device • Poll for device changes • Monitor health • Relaunch of client crash proxy proxy proxy
BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay proxy proxy proxy kFlow (HTTP) kFlow (HTTP) client C client C client C Client (where the magic happens) • One per device configured to send flow • * goes in, KFlow comes out client C NetFlow SFlow IPFix kFlow
Client Processing is a key enabler to useful data
Step 1: Normalization • Separate code paths for each type expected • CGO callouts
Step 2: Enrichment • BGP - Route data for xxx • GeoIP - Where does my traffic start and end • SNMP - Interface names and descriptions • Tagging - business classification: cost-centers, user-info, peering info • App Specific Data - URL/DNS requests, MYSQL query • Performance data (NPM) - Retransmits, network latency, appl latency • coming soon: • Timestamped event Data (syslog) • Threat feeds
DATA FUSION in CLIENT Decoder Modules Mem Tables NetFlow v5 NetFlow v9 IPFIX BGP RIB Custom Tags SNMP Poller BGP Daemon Enrichment DB DATA FUSION Geo ←→ IP ASN ←→ IP SFlow ROUTER FLOW FRIENDLY DATASTORE Single flow fused row sent to storage PCAP PCAP agent proxy
Step 3: Resampling & Unification • Long term (>1 Month) • What a process (device) said over an hour • Two tricks: • Flow Unification • Resampling
Query+Storage layers achieving ‘ā la carte’ data consumption
Storage Layer • Fused KFlow as input...Cap'n Proto (like protobuffers) • Shard data into small chunks • HTTP to N distributed storage nodes • Metadata supervisor DB handles shard locations • Row Oriented to Column Oriented • Compressed using ZFS DISK
Multi-Tenancy DB Needed Multitenancy for a large-scale SaaS product Could not find other DB’s @scale with it We succeeded by building in: ● Fairness queries are chopped into small chunks, users are rate limited and prioritized ● Security data is isolated between “users” down to the thread level ● Multiuser caching with fairness Built a cache that cannot be monopolized by any 1 user
Ingest & Fusion layer Storage layer (flow specific) Query layer Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ ● SQL interface PSQL FDW ● UI/UX feat. advanced data-viz ● REST API based interface build your own
Viz-rich UI
SELECT flow FROM router WHERE … SQL
API
Anomaly Detection and Streaming Databases
Anomaly Detection ● Network + NPM specific ● Policy based, customizable ● Granular itemization and metrics ○ look at top-100 Country, IP, Port, ASN, site, path,... ○ Unique senders, bps, pps, rxmits, latency ● Over/under static thresholds ● Over/under what’s “normal” (baselining) ● Perform actions ○ E-mail, Slack, JSON, Pagerduty ○ Mitigation (A10, Radware, BGP)
• DDoS is a simple use case of anomaly detection • V1 anomaly detection relied on KDE queries. Abusive • V2 needed stream processing and in-ram baseline storage • Typically avoided streaming db’s due to aggregation • Streaming db’s for anomaly detection+our long term flow storage is a powerful combination • Evaluated Spark, Storm, Samza, PipelineDB. Fail Detecting Anomalies
BGP VIP KDE ingest layer enKryptor Storage layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C Streaming layer
Aggregation Layer #2 POLICIES kFlow Multiple kFPS Policy #1 Policy #2 1s 1s 1s 1s 1s 1s Aggregation Layer #1 1min Σ Σ Σ Aggregation Layer #3 Policy #1 Policy Aggregation Filter Policy Thresholds & Actions 1hour Σ Threshold Comparator Action Triggers
kentik.com/nfd14

Recommended

Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
Tal Be'ery
 
Bitcoin Addresses
Bitcoin AddressesBitcoin Addresses
Bitcoin Addresses
ashmoran
 
Data encryption
Data encryptionData encryption
Data encryption
Deepam Goyal
 
Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation
Shubham Tomar
 
Introduction to Bitcoin's Scripting Language
Introduction to Bitcoin's Scripting LanguageIntroduction to Bitcoin's Scripting Language
Introduction to Bitcoin's Scripting Language
Jeff Flowers
 
Mysql
MysqlMysql
Mysql
TSUBHASHRI
 
BlockChain Public
BlockChain PublicBlockChain Public
BlockChain Public
Marie-Paule Odini
 

Recommended

Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
Tal Be'ery
 
Bitcoin Addresses
Bitcoin AddressesBitcoin Addresses
Bitcoin Addresses
ashmoran
 
Data encryption
Data encryptionData encryption
Data encryption
Deepam Goyal
 
Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation
Shubham Tomar
 
Introduction to Bitcoin's Scripting Language
Introduction to Bitcoin's Scripting LanguageIntroduction to Bitcoin's Scripting Language
Introduction to Bitcoin's Scripting Language
Jeff Flowers
 
Mysql
MysqlMysql
Mysql
TSUBHASHRI
 
BlockChain Public
BlockChain PublicBlockChain Public
BlockChain Public
Marie-Paule Odini
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
ShineStar21
 
Procedures and triggers in SQL
Procedures and triggers in SQLProcedures and triggers in SQL
Procedures and triggers in SQL
Vikash Sharma
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Architecture of Big Data Solutions
Architecture of Big Data SolutionsArchitecture of Big Data Solutions
Architecture of Big Data Solutions
Guido Schmutz
 
CIS bench marks for public clouds
CIS bench marks for public cloudsCIS bench marks for public clouds
CIS bench marks for public clouds
Nagesh Ramamoorthy
 
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Simplilearn
 
Understanding hd wallets design and implementation
Understanding hd wallets design and implementationUnderstanding hd wallets design and implementation
Understanding hd wallets design and implementation
ArcBlock
 
IPFS: The Permanent Web
IPFS: The Permanent WebIPFS: The Permanent Web
IPFS: The Permanent Web
Sivachandran Paramsivam
 
Hyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart ContractsHyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart Contracts
VIJAY MUTHU
 
Sqlplus
SqlplusSqlplus
Sqlplus
dillip kar
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
Hossain Md Shakhawat
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
Edureka!
 
Ethereum Block Chain
Ethereum Block ChainEthereum Block Chain
Ethereum Block Chain
SanatPandoh
 
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere CipherCaesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Mona Rajput
 
SQL Overview
SQL OverviewSQL Overview
SQL Overview
Stewart Rogers
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
Kevin OBrien
 
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
Fwdays
 
SQL
SQLSQL
SQL
Reimuel Bisnar
 
Blockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation SlidesBlockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation Slides
SlideTeam
 
Cloud Aware Network Management
Cloud Aware Network ManagementCloud Aware Network Management
Cloud Aware Network Management
Alex Henthorn-Iwane
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
gvillain
 

More Related Content

What's hot

CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
ShineStar21
 
Procedures and triggers in SQL
Procedures and triggers in SQLProcedures and triggers in SQL
Procedures and triggers in SQL
Vikash Sharma
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Architecture of Big Data Solutions
Architecture of Big Data SolutionsArchitecture of Big Data Solutions
Architecture of Big Data Solutions
Guido Schmutz
 
CIS bench marks for public clouds
CIS bench marks for public cloudsCIS bench marks for public clouds
CIS bench marks for public clouds
Nagesh Ramamoorthy
 
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Simplilearn
 
Understanding hd wallets design and implementation
Understanding hd wallets design and implementationUnderstanding hd wallets design and implementation
Understanding hd wallets design and implementation
ArcBlock
 
IPFS: The Permanent Web
IPFS: The Permanent WebIPFS: The Permanent Web
IPFS: The Permanent Web
Sivachandran Paramsivam
 
Hyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart ContractsHyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart Contracts
VIJAY MUTHU
 
Sqlplus
SqlplusSqlplus
Sqlplus
dillip kar
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
Hossain Md Shakhawat
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
Edureka!
 
Ethereum Block Chain
Ethereum Block ChainEthereum Block Chain
Ethereum Block Chain
SanatPandoh
 
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere CipherCaesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Mona Rajput
 
SQL Overview
SQL OverviewSQL Overview
SQL Overview
Stewart Rogers
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
Kevin OBrien
 
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
Fwdays
 
SQL
SQLSQL
SQL
Reimuel Bisnar
 
Blockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation SlidesBlockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation Slides
SlideTeam
 

What's hot (20)

CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
 
Procedures and triggers in SQL
Procedures and triggers in SQLProcedures and triggers in SQL
Procedures and triggers in SQL
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Architecture of Big Data Solutions
Architecture of Big Data SolutionsArchitecture of Big Data Solutions
Architecture of Big Data Solutions
 
CIS bench marks for public clouds
CIS bench marks for public cloudsCIS bench marks for public clouds
CIS bench marks for public clouds
 
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
Hive Tutorial | Hive Architecture | Hive Tutorial For Beginners | Hive In Had...
 
Understanding hd wallets design and implementation
Understanding hd wallets design and implementationUnderstanding hd wallets design and implementation
Understanding hd wallets design and implementation
 
IPFS: The Permanent Web
IPFS: The Permanent WebIPFS: The Permanent Web
IPFS: The Permanent Web
 
Hyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart ContractsHyperledger Architecture Vol 2 > Smart Contracts
Hyperledger Architecture Vol 2 > Smart Contracts
 
Sqlplus
SqlplusSqlplus
Sqlplus
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
Sql Basics | Edureka
Sql Basics | EdurekaSql Basics | Edureka
Sql Basics | Edureka
 
Ethereum Block Chain
Ethereum Block ChainEthereum Block Chain
Ethereum Block Chain
 
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere CipherCaesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
 
SQL Overview
SQL OverviewSQL Overview
SQL Overview
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
 
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
"Building Data Warehouse with Google Cloud Platform", Artem Nikulchenko
 
SQL
SQLSQL
SQL
 
Blockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation SlidesBlockchain Powerpoint Presentation Slides
Blockchain Powerpoint Presentation Slides
 

Viewers also liked

Cloud Aware Network Management
Cloud Aware Network ManagementCloud Aware Network Management
Cloud Aware Network Management
Alex Henthorn-Iwane
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
gvillain
 
Nokia Big Data and Analytics
Nokia Big Data and AnalyticsNokia Big Data and Analytics
Nokia Big Data and Analytics
jthaskell
 
Big Data Expo 2015 - Schiphol Big Data @ Schiphol
Big Data Expo 2015 - Schiphol Big Data @ SchipholBig Data Expo 2015 - Schiphol Big Data @ Schiphol
Big Data Expo 2015 - Schiphol Big Data @ Schiphol
BigDataExpo
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow Analysis
Alex Henthorn-Iwane
 
deepfield_networks
deepfield_networksdeepfield_networks
deepfield_networks
Zachary Rygwelski
 

Viewers also liked (6)

Cloud Aware Network Management
Cloud Aware Network ManagementCloud Aware Network Management
Cloud Aware Network Management
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
 
Nokia Big Data and Analytics
Nokia Big Data and AnalyticsNokia Big Data and Analytics
Nokia Big Data and Analytics
 
Big Data Expo 2015 - Schiphol Big Data @ Schiphol
Big Data Expo 2015 - Schiphol Big Data @ SchipholBig Data Expo 2015 - Schiphol Big Data @ Schiphol
Big Data Expo 2015 - Schiphol Big Data @ Schiphol
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow Analysis
 
deepfield_networks
deepfield_networksdeepfield_networks
deepfield_networks
 

Similar to Kentik Detect Engine - Network Field Day 2017

Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
Lancope, Inc.
 
Cloud Migration
Cloud MigrationCloud Migration
Cloud Migration
Jolyne Marie
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
Madhu Venugopal
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
innov-acts-ltd
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
LDAPCon
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
Cisco DevNet
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
Altinity Ltd
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
Raphaël PINSON
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 
Building a Router
Building a RouterBuilding a Router
Building a Router
Hannes Gredler
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
HostedbyConfluent
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
Joel W. King
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Guglielmo Iozzia
 
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PROIDEA
 
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and ConfluentWebinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Kinetica
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Puppet
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presales
Mustafa Kuğu
 
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
HostedbyConfluent
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kevin Lynch
 
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward
 

Similar to Kentik Detect Engine - Network Field Day 2017 (20)

Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Cloud Migration
Cloud MigrationCloud Migration
Cloud Migration
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
 
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and ConfluentWebinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presales
 
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
 

Recently uploaded

PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.pptPROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
bhadouriyakaku
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
heavyhaig
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
IJECEIAES
 
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
Mukeshwaran Balu
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
bank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdfbank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdf
Divyam548318
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
zwunae
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
ihlasbinance2003
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
MIGUELANGEL966976
 
A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
nooriasukmaningtyas
 
Adaptive synchronous sliding control for a robot manipulator based on neural ...
Adaptive synchronous sliding control for a robot manipulator based on neural ...Adaptive synchronous sliding control for a robot manipulator based on neural ...
Adaptive synchronous sliding control for a robot manipulator based on neural ...
IJECEIAES
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
Rahul
 
This is my Environmental physics presentation
This is my Environmental physics presentationThis is my Environmental physics presentation
This is my Environmental physics presentation
ZainabHashmi17
 
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
skuxot
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
camseq
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
SyedAbiiAzazi1
 

Recently uploaded (20)

PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.pptPROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
PROJECT FORMAT FOR EVS AMITY UNIVERSITY GWALIOR.ppt
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
 
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
bank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdfbank management system in java and mysql report1.pdf
bank management system in java and mysql report1.pdf
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
 
A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
 
Adaptive synchronous sliding control for a robot manipulator based on neural ...
Adaptive synchronous sliding control for a robot manipulator based on neural ...Adaptive synchronous sliding control for a robot manipulator based on neural ...
Adaptive synchronous sliding control for a robot manipulator based on neural ...
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
 
This is my Environmental physics presentation
This is my Environmental physics presentationThis is my Environmental physics presentation
This is my Environmental physics presentation
 
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
一比一原版(UC Berkeley毕业证)加利福尼亚大学|伯克利分校毕业证成绩单专业办理
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
 

Kentik Detect Engine - Network Field Day 2017

  • 2. KDE Quick Stats (kentik detect engine) NetFlow in the Cloud • 125+ Billion Flows/Day stored • 1,000,000+ FPS • 50 “Large” Queries/s, thousands of sub-qps • 75+ TB flow data stored/day (25+ compressed) SNMP, BGP, network performance too!
  • 3. KDE High-Level • KDE is a hybrid system: ○ Fusing / Ingest Layer ○ Distributed column store db / query engine ○ Realtime stream processing for anomaly detection • We evaluated various existing engines: ES, Hadoop, Cassandra, Storm, Spark, SILK, Druid, Kafka.... • Couldn’t find performance, multi-tenancy, and network savvy so we wrote our own...
  • 4. Ingest & Fusion layer Storage layer (flow specific) Query layer Each layer has separate and different scaling characteristics Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ KDE architecture
  • 6. KDE Architecture BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C
  • 7. KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTPS) kFlow (HTTPS) proxy proxy proxy client C client C client C BGP VIP NetFlow (UDP) relay VIP + Relay • One IP bound to multiple servers • Sharded by Source-IP • Validate Sender as Kentik Customer • Pass flow on (raw UDP socket) to correct proxy • Relay handles load balancing (Kentik specific, UDP+TCP) relay
  • 8. Proxy BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay kFlow (HTTP) client C client C client C kFlow (HTTP) • Inspect flow & determine type: V5, V9, IPFIX, SFlow, KFlow • Need to resample? • Configured Sample Rate • Launch Client Process for each device • Poll for device changes • Monitor health • Relaunch of client crash proxy proxy proxy
  • 9. BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay proxy proxy proxy kFlow (HTTP) kFlow (HTTP) client C client C client C Client (where the magic happens) • One per device configured to send flow • * goes in, KFlow comes out client C NetFlow SFlow IPFix kFlow
  • 10. Client Processing is a key enabler to useful data
  • 11. Step 1: Normalization • Separate code paths for each type expected • CGO callouts
  • 12. Step 2: Enrichment • BGP - Route data for xxx • GeoIP - Where does my traffic start and end • SNMP - Interface names and descriptions • Tagging - business classification: cost-centers, user-info, peering info • App Specific Data - URL/DNS requests, MYSQL query • Performance data (NPM) - Retransmits, network latency, appl latency • coming soon: • Timestamped event Data (syslog) • Threat feeds
  • 13. DATA FUSION in CLIENT Decoder Modules Mem Tables NetFlow v5 NetFlow v9 IPFIX BGP RIB Custom Tags SNMP Poller BGP Daemon Enrichment DB DATA FUSION Geo ←→ IP ASN ←→ IP SFlow ROUTER FLOW FRIENDLY DATASTORE Single flow fused row sent to storage PCAP PCAP agent proxy
  • 14. Step 3: Resampling & Unification • Long term (>1 Month) • What a process (device) said over an hour • Two tricks: • Flow Unification • Resampling
  • 15. Query+Storage layers achieving ‘ā la carte’ data consumption
  • 16. Storage Layer • Fused KFlow as input...Cap'n Proto (like protobuffers) • Shard data into small chunks • HTTP to N distributed storage nodes • Metadata supervisor DB handles shard locations • Row Oriented to Column Oriented • Compressed using ZFS DISK
  • 17. Multi-Tenancy DB Needed Multitenancy for a large-scale SaaS product Could not find other DB’s @scale with it We succeeded by building in: ● Fairness queries are chopped into small chunks, users are rate limited and prioritized ● Security data is isolated between “users” down to the thread level ● Multiuser caching with fairness Built a cache that cannot be monopolized by any 1 user
  • 18. Ingest & Fusion layer Storage layer (flow specific) Query layer Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ ● SQL interface PSQL FDW ● UI/UX feat. advanced data-viz ● REST API based interface build your own
  • 21. API
  • 23. Anomaly Detection ● Network + NPM specific ● Policy based, customizable ● Granular itemization and metrics ○ look at top-100 Country, IP, Port, ASN, site, path,... ○ Unique senders, bps, pps, rxmits, latency ● Over/under static thresholds ● Over/under what’s “normal” (baselining) ● Perform actions ○ E-mail, Slack, JSON, Pagerduty ○ Mitigation (A10, Radware, BGP)
  • 24. • DDoS is a simple use case of anomaly detection • V1 anomaly detection relied on KDE queries. Abusive • V2 needed stream processing and in-ram baseline storage • Typically avoided streaming db’s due to aggregation • Streaming db’s for anomaly detection+our long term flow storage is a powerful combination • Evaluated Spark, Storm, Samza, PipelineDB. Fail Detecting Anomalies
  • 25. BGP VIP KDE ingest layer enKryptor Storage layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C Streaming layer
  • 26. Aggregation Layer #2 POLICIES kFlow Multiple kFPS Policy #1 Policy #2 1s 1s 1s 1s 1s 1s Aggregation Layer #1 1min Σ Σ Σ Aggregation Layer #3 Policy #1 Policy Aggregation Filter Policy Thresholds & Actions 1hour Σ Threshold Comparator Action Triggers