SlideShare uma empresa Scribd logo
1 de 47
Baixar para ler offline
There’s Plenty of Room at
       the Bottom:
An Invitation to Explore with Network Flows




                Benjamin Black
                 b@fastip.com
What are Flows
        &
Why Should You Care?
You Should Care
Because Visibility Makes
   Your Life Easier.
Network Flow Data
Means Great Visibility.
DDoS Detection
 Capacity Planning
Traffic Management
  Troubleshooting
    Correlation
         ...
The Nature of Flows
[traffic]
[streams]
[packets]

Header       Payload
[headers]
      Protocol

  Source IP Address

Destination IP Address

     Source Port

   Destination Port
[latency]
[jitter]
[packet loss]
The Structure of Flows
[flow keys]
      Protocol                         Protocol

  Source IP Address                Source IP Address

Destination IP Address

     Source Port
                         =     Destination IP Address

                                     Source Port

   Destination Port                Destination Port
[templates]
  template_id 253

      protocol

  src IPv4 address

  dest IPv4 address

      src port

      dst port

     total octets

    total packets

     start time

      end time
[flow records]
    template_id 253

         TCP

     172.16.101.3

     192.169.7.200

         9801

          80

     27342 octets

      24 packets

   start 28349829023

   end 28356729023
The Ecosystem of Flows
[metering process]

 template_id 253     template_id 253     template_id 253     template_id 253
      TCP                 TCP                 TCP                 TCP
  172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
  192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
      9801                9801                9801                9801
       80                  80                  80                  80
  27342 octets        27342 octets        27342 octets        27342 octets
   24 packets          24 packets          24 packets          24 packets
start 28349829023   start 28349829023   start 28349829023   start 28349829023
end 28356729023     end 28356729023     end 28356729023     end 28356729023
[observation domain]
          eth0



          eth1



          eth2
[collecting process]
          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023




          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023




          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023
Storage and Analysis are
   Left as an Exercise
     for the Reader
Where Do Meters Run?
On Network Switches/Routers
      [often sampled]
Dedicated Appliances
[expensive/limited storage]
On Hosts
[where does the data go?]
The Classical View
There's Plenty of Room at the Bottom
Where is this going?
Where is this going?




Where is this coming from?
There's Plenty of Room at the Bottom
The Flow View
There's Plenty of Room at the Bottom
There's Plenty of Room at the Bottom
TANSTAAFL
Flow Data Takes Up
  LOTS of Space
[often >1% total traffic]
LOTS of Space Means Storage
Expense or Loss of Resolution or
          Truncation
LOTS of (Multi-dimensional)
         Data is
    Hard to Analyze
Inflexible and Limited
            or
Expensive and Complicated
There's Plenty of Room at the Bottom
[apologies]
[resources]
IPFIX WG
  http://datatracker.ietf.org/wg/ipfix/charter/
nProbe
  http://www.ntop.org/nProbe.html
Cisco NetFlow Collection Engine
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html
Arbor Networks
 http://www.arbornetworks.com/
Dartware
 http://www.intermapper.com/products/intermapper-flows
[finally...]
fast_ip is a platform for
     flow analytics
Sign up for our beta
 http://fastip.com
There's Plenty of Room at the Bottom

Mais conteúdo relacionado

Mais procurados

Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Fail2ban - the system security for green hand -on linux os
Fail2ban  - the system security  for green hand -on linux osFail2ban  - the system security  for green hand -on linux os
Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressing2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressingOsama Ghandour Geris
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2Shuya Osaki
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: TunnellingNapier University
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclassDoug Chang
 
Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017Eric Ahn
 

Mais procurados (19)

Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Fail2ban - the system security for green hand -on linux os
Fail2ban  - the system security  for green hand -on linux osFail2ban  - the system security  for green hand -on linux os
Fail2ban - the system security for green hand -on linux os
 
2020 2ed tcp
2020 2ed   tcp2020 2ed   tcp
2020 2ed tcp
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressing2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressing
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2
 
Log
LogLog
Log
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
 
SIEM
SIEMSIEM
SIEM
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclass
 
XS Boston 2008 Debugging Xen
XS Boston 2008 Debugging XenXS Boston 2008 Debugging Xen
XS Boston 2008 Debugging Xen
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017
 

Destaque

Introduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and ConsistencyIntroduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and ConsistencyBenjamin Black
 
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannyaKary Adi
 
Dynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of GoalsDynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of Goalsaltonbaird
 
Disueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vidaDisueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vidaRafa Cofiño
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...Akamon Entertainment
 
Get started with dropbox
Get started with dropboxGet started with dropbox
Get started with dropboxBeverly Solano
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Groupnathanmarz
 
Insight family space, Graham Cadle
Insight family space, Graham CadleInsight family space, Graham Cadle
Insight family space, Graham Cadlelocalinsight
 
Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16brightonpa
 
Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...Vicki Shaw
 
A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...Raphael Troncy
 
Upgrading the Curriculum
Upgrading the CurriculumUpgrading the Curriculum
Upgrading the CurriculumJanet Hale
 
Employment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimantsEmployment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimantslocalinsight
 
Ailanto 2013 independent living community investment
Ailanto 2013 independent living community investmentAilanto 2013 independent living community investment
Ailanto 2013 independent living community investmentHugo Ribadeneira
 

Destaque (20)

Nanotechnology
Nanotechnology Nanotechnology
Nanotechnology
 
Introduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and ConsistencyIntroduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and Consistency
 
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
 
Dynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of GoalsDynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of Goals
 
Disueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vidaDisueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vida
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
 
Hellen e vitoria musicas ....
Hellen e vitoria musicas ....Hellen e vitoria musicas ....
Hellen e vitoria musicas ....
 
Get started with dropbox
Get started with dropboxGet started with dropbox
Get started with dropbox
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Group
 
Insight family space, Graham Cadle
Insight family space, Graham CadleInsight family space, Graham Cadle
Insight family space, Graham Cadle
 
Play station 4 camilo q
Play station 4 camilo q Play station 4 camilo q
Play station 4 camilo q
 
Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16
 
Dr. Bart Cammaerts - The Mediation of Dissensus
Dr. Bart Cammaerts - The Mediation of DissensusDr. Bart Cammaerts - The Mediation of Dissensus
Dr. Bart Cammaerts - The Mediation of Dissensus
 
Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...
 
Oficio previc copy
Oficio previc copyOficio previc copy
Oficio previc copy
 
A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...
 
Upgrading the Curriculum
Upgrading the CurriculumUpgrading the Curriculum
Upgrading the Curriculum
 
Employment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimantsEmployment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimants
 
Ailanto 2013 independent living community investment
Ailanto 2013 independent living community investmentAilanto 2013 independent living community investment
Ailanto 2013 independent living community investment
 
eHealth
eHealtheHealth
eHealth
 

Semelhante a There's Plenty of Room at the Bottom

Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
Send me your echolocation
Send me your echolocationSend me your echolocation
Send me your echolocationFastly
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014Netgate
 
ioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distributionioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distributionMasahito Zembutsu
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
5 issues
5 issues5 issues
5 issuesm0use
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalMaytal Levi
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
Day 20.1 configuringframerelay
Day 20.1 configuringframerelayDay 20.1 configuringframerelay
Day 20.1 configuringframerelayCYBERINTELLIGENTS
 

Semelhante a There's Plenty of Room at the Bottom (20)

Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
 
Send me your echolocation
Send me your echolocationSend me your echolocation
Send me your echolocation
 
Wdt Test
Wdt TestWdt Test
Wdt Test
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014
 
ioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distributionioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distribution
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
TCP-IP PROTOCOL
TCP-IP PROTOCOLTCP-IP PROTOCOL
TCP-IP PROTOCOL
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
5 issues
5 issues5 issues
5 issues
 
SCTP Tutorial
SCTP TutorialSCTP Tutorial
SCTP Tutorial
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
7. protocols
7. protocols7. protocols
7. protocols
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices final
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filters
 
Day 20.1 configuringframerelay
Day 20.1 configuringframerelayDay 20.1 configuringframerelay
Day 20.1 configuringframerelay
 
Day 20.3 frame relay
Day 20.3 frame relay Day 20.3 frame relay
Day 20.3 frame relay
 

Último

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 

Último (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 

There's Plenty of Room at the Bottom

  • 1. There’s Plenty of Room at the Bottom: An Invitation to Explore with Network Flows Benjamin Black b@fastip.com
  • 2. What are Flows & Why Should You Care?
  • 3. You Should Care Because Visibility Makes Your Life Easier.
  • 4. Network Flow Data Means Great Visibility.
  • 5. DDoS Detection Capacity Planning Traffic Management Troubleshooting Correlation ...
  • 10. [headers] Protocol Source IP Address Destination IP Address Source Port Destination Port
  • 15. [flow keys] Protocol Protocol Source IP Address Source IP Address Destination IP Address Source Port = Destination IP Address Source Port Destination Port Destination Port
  • 16. [templates] template_id 253 protocol src IPv4 address dest IPv4 address src port dst port total octets total packets start time end time
  • 17. [flow records] template_id 253 TCP 172.16.101.3 192.169.7.200 9801 80 27342 octets 24 packets start 28349829023 end 28356729023
  • 19. [metering process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023
  • 20. [observation domain] eth0 eth1 eth2
  • 21. [collecting process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023
  • 22. Storage and Analysis are Left as an Exercise for the Reader
  • 24. On Network Switches/Routers [often sampled]
  • 26. On Hosts [where does the data go?]
  • 29. Where is this going?
  • 30. Where is this going? Where is this coming from?
  • 36. Flow Data Takes Up LOTS of Space
  • 37. [often >1% total traffic]
  • 38. LOTS of Space Means Storage Expense or Loss of Resolution or Truncation
  • 39. LOTS of (Multi-dimensional) Data is Hard to Analyze
  • 40. Inflexible and Limited or Expensive and Complicated
  • 43. [resources] IPFIX WG http://datatracker.ietf.org/wg/ipfix/charter/ nProbe http://www.ntop.org/nProbe.html Cisco NetFlow Collection Engine http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html Arbor Networks http://www.arbornetworks.com/ Dartware http://www.intermapper.com/products/intermapper-flows
  • 45. fast_ip is a platform for flow analytics
  • 46. Sign up for our beta http://fastip.com

Notas do Editor