NetFlow technology and University Network Management

Source: Internet
Author: User

To achieve effective network management, you need to collect relevant information through the network monitoring mechanism to actively identify and solve the problem. NetFlow is a protocol that provides network traffic-related information. Through NetFlow, network administrators can quickly and effectively master the status of the network under their jurisdiction.

With the rapid development of network applications, the network bandwidth of many schools has increased significantly, but the efficiency of network usage has not been significantly improved. To achieve effective network management, you need to collect relevant information through the network monitoring mechanism to actively identify and solve the problem. NetFlow is a protocol that provides network traffic-related information. Through NetFlow, network administrators can quickly and effectively master the status of the network under their jurisdiction. Next, we will introduce the differences between NetFlow and previous network management mechanisms and their operational mechanisms in sequence. Finally, we will introduce the current applications of NetFlow. The origin of NetFlow.
 
Traditionally, Network administrators collect Network traffic data from Network facilities that support SNMP through Simple Network Management Protocols, although obtaining information in this way will not cause excessive processing burden, SNMP only provides rough and simple information. This information only allows managers to discover problems, but cannot solve them further.

Is there another technology that provides more detailed network information? A network probe (sniffer) or similar monitoring tool is deployed on a network device to capture the data packets that flow through and translate the data packets to find information about the fields in the data packet header, and further analyze the content to obtain more detailed information.

Although more detailed network information can be obtained through the packet monitoring tool, the monitoring tool usually focuses on the content of a single network packet, therefore, it is difficult for network managers to grasp the overall network status from the information provided by the monitoring tool. In addition, it is time-consuming to analyze data packets, and the data volume to be analyzed during data packet monitoring is very large, which is astonishing for the consumption of resources and personnel, this method is obviously not suitable for network management in a college environment.

NetFlow came into being in this situation and has become a popular tool for network administrators. More and more schools are using this tool to understand network usage. NetFlow not only provides more detailed network information, but also avoids network bandwidth and excessive computing resources.

NetFlow Operating Mechanism

NetFlow is a network traffic monitoring technology developed by Cisco's Darren Kerr and Barry Bruins in 1996. It has been built on most Cisco routers, network equipment suppliers such as Juniper, Ex-treme, and gangwan networks also support NetFlow technology, which has gradually become a standard that everyone can accept.

NetFlow itself is a set of network traffic statistics protocols. Its main principle is that continuous adjacent data packets are usually transmitted to IP addresses of the same destination during network packet transmission. In combination with the cache mechanism, when the Network Manager enables the NetFlow function of the vro or vswitch interface, the device will analyze the header of the data packet when receiving the data packet to obtain the traffic data, and the received packet traffic information is merged into a Flow. In the NetFlow protocol, Flow is defined as a single direction continuous data stream between two vertices, this means that each network connection is recorded as two Flow data records, one of which records the connection from the client to the server, and the other records the information of the connection from the server to the client.

Network devices use the following fields to differentiate each Flow: source IP address, source port number, and destination IP address) destination port number, protocol type, type of service, and router input interface ), at any time when the device receives a new packet, it will check the seven fields to determine whether the packet belongs to any recorded Flow, if yes, the traffic information of the new data packet is integrated into the corresponding Flow record. If the Flow record corresponding to the data packet is not found, A new Flow record is generated to store the relevant traffic information. Because the cache space in the device is limited, it cannot accommodate increasing Flow records without limit. Therefore, the NetFlow Protocol also defines the mechanism for ending Flow records, to store Flow information in network devices.

If either of the following conditions is true, the router will send the terminated Flow records to the NetFlow data collection device specified by the user through UDP Packets: when the flag field in the packet shows that the transmitted messages in the transmission protocol are such as tcp fin, the traffic stops for more than 15 seconds. The traffic continues to be transmitted and is automatically terminated every 30 minutes.

Although most network hardware vendors support NetFlow, there are many NetFlow versions. NetFlow Version 5 is a common Netflow data format and contains the following fields: source IP Address (Source host IP Address), Destination IP Address (Destination host IP Address), Source TCP/UDP Port (Source host Port number) destination TCP/UDP Port (Port Number used by the Destination host), Next Hop Address (Address of the Next endpoint), Source AS Number (AS Number of the Source host) destination AS number (AS number of the target host), Source Prefix Mask (subnet Mask of the Source host's domain), Destination Prefix Mask (subnet Mask of the Destination host's network), Protocol (Communication Protocol used), TCP Flag (packet control mark), Type of Service (QoS required parameter), Start sysUpTime (Start Time), End sysUpTime (End Time) input ifIndex, Output ifindex, Packet Count, and Byte Count ).

Network devices that support the NetFlow function send the Flow information collected by NetFlow to the preset traffic receiving host using UDP data packets, the raw traffic data is properly processed and stored for subsequent applications.

Application of NetFlow in network security

NetFlow records provide sufficient information to help network administrators master network exception events in their networks. NetFlow does not need to analyze the packet content, this greatly reduces the computing workload of network devices. Therefore, it is suitable for analyzing high-speed and busy network environments.

Because the NetFlow data source is a layer-3 data forwarding device in the network, the NetFlow information collected from the layer-3 device can help you understand the overall network situation and analyze NetFlow information appropriately, it can help managers quickly analyze network problems in the early stages of worms or abnormal network behavior. Next, we will introduce how to use the information contained in NetFlow to detect abnormal behaviors.

Analysis from the network layer perspective

Generally, network attack behaviors have some identifiable features. We can use these features to compare with the obtained NetFlow data to identify possible abnormal behaviors. By analyzing the port number field used by the target host in the NetFlow data, we can filter the NetFlow data to find out the corresponding attacks; in addition, we can also identify exceptions by using illogical source or destination IP addresses. In addition, Internet address assignment institutions (Internet Assigned Numbers Authority, IANA) retain the following three IP addresses to the private network using 10.0.0.0 ~ 10.20.255.255, 172.16.0.0 ~ 172.31.255.255 and 192.168.0.0 ~ 192.168.255.255, the addresses of these network segments cannot appear in the external network environment. However, due to network design defects, the router does not verify the source address field of the received data packets, therefore, attackers can exploit this vulnerability to forge the source IP address (Spoofing) to launch attacks and avoid being traced to the attack source, therefore, we can find out the traffic from the Source IP Address field used by the Source host in the NetFlow data to forge the Source Address, use the information in the Input IFindex field of the information flow in the NetFlow data to find the upstream router connecting to the interface and ask them to assist in investigation or processing.

Some abnormal behaviors may be connected to one or some specific addresses. For example, the Code Red worm that caused severe network congestion in 2001, we can analyze the collected NetFlow data to find that the attack behavior of this worm has a feature, the destination TCP/UDP port field value of each Flow is equal to 80, the Packet Count field value is equal to 3, and the Byte Count field value is equal to 144 bytes, network administrators can write the NetFlow data collected by program analysis to find the Flow data with this feature, and then find the hosts that may be infected with the Code Red worm in the competent network, and forcibly remove the host or block the physical port to reduce the harm caused by worms. Use the collected attack features to compare with the relevant fields in the NetFlow information to find out possible attacks. You can take appropriate measures to reduce the possibility of serious problems before causing serious damage to the network.

Analysis from the perspective of the transport layer

We can use the NetFlow data to find the host with the largest number of sessions in the network, because if a host has an abnormal large number of connections to a specific host, this may represent the possibility of new worms, blocking service attacks, and network scanning, because a normal host may be connected to the outside at a certain frequency. If a normal host is infected with worms, it may begin to generate abnormal network behavior and begin to generate a large number of external connection requests to find the next infected object, therefore, we can find a large number of external connection requirements from the NetFlow information of the host infected with worms, if a user in the competent network downloads a tool program that blocks service attacks from the network in an attempt to launch an external attack, or the user uses a scanning tool such as Nmap to scan a specific website, to identify possible vulnerabilities or vulnerabilities on the target host, we can find a large number of sessions sent from a specific address in the domain from NetFlow data.

In addition to network attack detection, we can also identify network misuse through session analysis, for example, analyzing the port number used by the target host in NetFlow data, by analyzing the information related to the external 25 port connection, if the number of external 25 port connections of a host exceeds the normal value within a specific period of time, we can reasonably suspect that this host is used to distribute advertising messages or be infected with worms through e-mail, in the same principle, we can also analyze common peer-to-peer file sharing software such as emule, such as TCP 4662/UDP 4672 port, to find out network misuse, and take appropriate measures to reduce the damage.

Use TCP Control to filter out suspicious flows

However, for some large networks, the attack-related NetFlow information may be diluted by other normal NetFlow information, such as the early stage of virus infection or careful hackers, normal traffic may be used to cover abnormal behavior. In addition, when we encounter new attack techniques or viruses, we may not be able to grasp the Flow features in the first time, or identify abnormal traffic through feature comparison. In order to quickly and effectively detect abnormal traffic, we try to analyze the TCP Control flag to narrow down the NetFlow data volume that needs further analysis and detect abnormal traffic early. For worms, because of the nature of self-replication by infecting a large number of hosts in the network, they will do their best to detect possible targets of infection in a short period of time, in addition, most worms are transmitted and distributed over the TCP protocol, so we can find some clues from the TCP Control flag as the basis for narrowing down the suspicious list.

During normal TCP connection establishment, the client sends a SYN packet to the target host, and then the target host responds to a SYN/ACK packet, after receiving such a packet, the client returns the ACK packet to the target host to complete the connection, but not every time the connection is established, netFlow stores all TCP Control flags during transmission in the packet control flags field, therefore, we can use the information in this field to help us speculate on the characteristics of a specific host online.

If a Flow normally establishes a TCP connection, its packet control (TCP Flag) field records control signs such as ACK, SYN, and FIN. However, if the worm is infected, because the randomly selected host does not necessarily exist, or even if the target host does not have the TCP port to be infected by the worm, in this case, in the NetFlow information, the Flow packet control Flag (TCP Flag) field generated by the external connection of the infected host only has the syn tcp Control Flag, according to this feature, network administrators can filter out only Flow data with SYN control Flag in the packet control Flag field of their NetFlow data, in this way, we can eliminate most normal traffic. At this time, we need to find out the real abnormal traffic from the suspicious data, which will reduce the difficulty and quickly identify the problem, it can also avoid unnecessary waste of computing resources.

Use ICMP messages to help filter out suspicious flows

Some worms or network attacks also use ICMP. We can filter out abnormal hosts from the NetFlow data. First, find the Flow with the protocol field value 1, it indicates that the communication protocol used is ICMP, and then the ICMP message is analyzed based on the destination host's port number (destination TCP/UDP port) field value, for example, if the destination host's port number (destination TCP/UDP port) field is 2048, it is converted to octal 800. the first digit represents the ICMP type, the last two digits are the ICMP encoding. The overall meaning is the ICMP echo request. However, if the field value is 769, It is 301 if it is converted to octal, this encoding indicates ICMP host unreachable. If the field value is 771, it indicates ICMP port unreachable. If the field value is 768, it indicates ICMP network unreachable. We can first find the Flow with the communication protocol ICMP, filter the Flow with the port numbers 768, 769, and 771 used by the target host, and further analyze and find out possible abnormal behavior. In this way, the suspicious list is filtered out from a large number of NetFlow data, and the Flow data in the list is further analyzed. This helps network managers quickly find out the problem.

Due to the rapid growth of network bandwidth, deploying NetFlow only on the core layer may lead to a reduction in device performance. Currently, the gangwan network can provide the corresponding NetFlow function in the FlexHammer 5210 series of the aggregation layer and BigHammer 6800 series of the core layer. It is deployed in a distributed manner through the NetFlow of the core and aggregation layer, A complete virus and network exception control mechanism can be provided to ensure network performance, so as to assist network managers in network maintenance and reduce management pressure on network centers of colleges and universities.

Related Articles]

  • Application of bandwidth management in Network Management
  • Ten precautions for minimizing risks to Network Management
  • Network management market chaos paradox obfuscation of consumers

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.