Network Measurements Flashcards
Why do we want to measure the network?
Network provider: •Model reality •Predict future •Plan network •Avoid bottlenecks in advance •Reduce cost Service provider: •Get information about clients •Adjust service to demands •Reduce load on servers
Client: check service & compare
Researcher: performance evaluation & understanding
Why do we need to measure?
•Distributed multi-domain network →information only partially available
•Growth, usage, structure changes
•Highly interactive system•
Heterogeneity in all directions
•The total is more than the sum of its pieces
•Built, driven, and used by humans →errors, misconfigurations, flaws, failures, misuse, …
What types of active measurement are conducted?
Perfomance: latency, throughput, loss
Topology: Mapping (L2, IP, AS), alias resolution
Security: TLS certs & certificate transparency
ssh server keys
IoT protocols
How does certificate transparency measurement work?
Public log of issued certificates (to prevent incorrectly issued certificates).
-> can be scanned
What can active security measurements do for the internet?
Improve security by:
- finding insecure devices & configs (-> notify)
- find weaknesses in protocols
- find protocols vulnerable to amplification attacks
How can you reduce the ethics and intrusiveness of active measurements?
- Reduce intrusiveness of scanning technique (no login, low scanning rate)
- Provide information on scanning machines website
- respond to ever inquiry and abuse mail
- offer possibility of blacklisting ip addresses and subnets
What is passive measurement?
Passive measurement is observing exisiting traffic in the network using probes.
- traffic volume
- traffic composition
- packet interarrival times
What can you use passive measurements for?
Traffic analysis (engineering, anomaly detection) Accounting (resource utilization & charging) Security (intrusion detection & prohibited data transfers)
What types of export timeouts exist in flow-based traffic measurements?
Inactive timeout -> export at end of flow
Active timeout -> periodic export for long-lived flows
What is an IP Traffic Flow in IPFIX?
A set of IP Packets passing an observation point during a certain time interval.
All packets have a set of common properties
What is an observation point in IPFIX?
A location where IP packets can be observed. Can be superset of obs. points
Explain the IPFIX metering process
Packet hdr capture -> Timestamp -> Classify -> Timestamp || Maintaining flow records
What is a flow record in IPFIX?
Information about specific flow. Contains measured properties (tot bytes of all packets) and characteristics.
How does anomaly detection with passive measurement work?
Collect flow data at observation points in network and create time series representation.
Label flows as good or malicious & Train model
name some indicators for amplification attacks that can be found using passive measurement?
- Amplification factor: small requests generate larger responses
- attacker sends few variations of packets (similar lengths)
- payload similarity
- unsolicited ICMP messages (watch for returning ICMP from victim)
- TTL measurements (different length attacker -> am & amp -> victim)
What is hybrid measurement?
Modification of packet flows (hdr & piggybacking)
+ Same as for passive
+ can introduce additional information
- Modifying data packets may cause problems
Name some issues with active and passive measurements
Active: - intrusive - Find out what network is capable of - changes nw state Passive: - non intrusive - find out current situation - does not influence nw state
Name some network metrics
- Throughput: bandwidth & packet rate
- Latency: average, standard deviation, media, jitter, percentils
- Frame loss rate
(- Max burst length)
(- recover after overload)
(- recover after sys restart)
Why is packet rate important?
Processing is costly for the packet headers. Therfore a few large packets get processed faster than the same amount of bytes in small packets. (Both have the same bandwidth)
What is the max packet rate for network?
Min ether frame: 64 bytes + 8 bytes (Ethernet preamble and delimiter) + min interpacket gap 12 bytes
-> 84 bytes
10 GBit/s / 84 bytes = 14,88 Mpps
How does parallel packet procesing work?
The NIC has a high number of queues (TX and RX) - 1 for each core.
Explain the 3 possibilities to distribute incoming traffic
Per-packet:
- every packet may be on different core -> may cause packet reordering and state sync
Per-flow (5 tuple):
- one flow per core -> protocol state is in core, no reordering in flow
Explicitly configured filters -> Flows can be mapped to explicit cores -> useful to fwd traffic to VMs but per-flow has better balance
Name possible bottlenecks for performance
CPU power
NIC processing power (mostly consumer devices)
BUS (PCIe) bw 8 GBit/s / lane
What advantages/disadvantages does packet processing in user space have?
+ Fewer expensive system calls
+ Simplified mem mgmt
+ Way faster
+ Batch processing in app
- Protocol implementation in app
- NIC exclusively by single app
- Not API-compatible with typical user space apps
Give adv/disadv of techniques for packet reception
interrupt per packet: \+ low latency - low throughput (expensive interrupts) several packets per interrupt: \+ high throughput - high latency no interrupts: \+ low latency (depending on freq) \+ high throughput - inefficient at low packet rates (busy waiting)
