Network Security Monitoring with Flow DataAnomaly Detection & DDoS Protection
Pavel Minařík, Chief Technology Officer
What is Flow Data?
Modern network telemetry data, supported by many vendors
Cisco standard NetFlow v5/v9, IETF standard IPFIX
Focused on L3/L4 information and volumetric parameters
Real network traffic to flow statistics reduction ratio 500:1
Flow data
Flow-Based Traffic Analysis
Network as a sensor concept (and enforcer) blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer
Bridges the gap left by signature-based security
Key technology for incident response
Designed for multi 10G environment
Statistical analysisVolumetric DDoS detection
Advanced data analysis algorithmsDetection of non-volumetric anomalies
DDoS Anomaly detection
DDoS Protection on Backbone
Backbone perimeter specifics Multiple peering points – routers & uplinks Large transport capacity – tens of gigabits easily In-line protection is close to impossible!
Flow-based detection and out-of-path mitigation Easy and cost efficient to deploy in backbone/ISP Prevents volumetric DDoS to reach enterprise perimeter
flow export1. Flow collection2. DDoS detection3. Routing control4. Mitigation control
Out-of-Path Mitigation
InternetService Provider Core
Flow Data CollectionLearning Baselines
Attack
Anomaly DetectionMitigation
Enforcement
Scrubbing center
Attack path Clean path
Traffic Diversion viaBGP Route Injection
Dynamic Protection Policy Deployment incl. baselines and
attack characteristics
Protected Object 1e.g. Data Center,Organization, Service etc…
Protected Object 2
BGP Flowspec Mitigation
InternetService Provider Core
Flow Data CollectionLearning Baselines
Attack
Anomaly DetectionMitigation
Enforcement
Protected Object 1e.g. Data Center,Organization, Service etc.
Protected Object 2
Sending specific Route advertisement via BGP FlowSpec
Dynamic signature: Dst IP: 1.1.1.1/32Dst Port: 135
Protocol IP: 17 (UDP)Discard
Dropped traffic for Dst IP: 1.1.1.1/32 Dst Port: 135
Protocol IP: 17 (UDP)
Dst port: 135 48
Dst port: 135 48
!
!
Anomaly Detection on Backbone
Ano
mal
y D
etec
tion
Machine Learning
Adaptive Baselining
Heuristics
Behavior Patterns
Reputation Databases
Sample Anomaly Detection Report
Focus on Indicators of Compromise
Provided by ISP to Enterprise Customers
Flowmon Networks a.s.Sochorova 3232/34 616 00 Brno, Czech Republicwww.flowmon.com
Thank youPerformance monitoring, visibility and security with a single solution
Pavel Minařík, Chief Technology Officer
[email protected], +420 733 713 703
Top Related