Implementation of data collection tools using NetFlow for statistical ...
03.09.2013 Views
Share Embed Flag

Implementation of data collection tools using NetFlow for statistical ...

Implementation of data collection tools using NetFlow for statistical ...

Implementation of data collection tools using NetFlow for statistical ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
idt.mdh.se

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

4 <strong>Implementation</strong><br />

• Once an attack was in place from another AS, the amount <strong>of</strong> flows, packets and bytes<br />

received would increase rapidly and cause a spike in the graphed <strong>data</strong> <strong>for</strong> that particular AS,<br />

indicating there might be a problem.<br />

• Foc<strong>using</strong> on that particular AS with a new tag, named [attack] would yield the wanted<br />

detailed in<strong>for</strong>mation such as IP addresses <strong>of</strong> the sender and receiver, bytes sent and received<br />

as well the number <strong>of</strong> packets sent.<br />

With this in mind, the pmacct configuration took place and divided the traffic accordingly. The<br />

configuration used several individual configuration files in order to accomplish the tagging<br />

procedure. The main configuration was done in the regular configuration file with the BGP peering<br />

being done in the configuration file agent.map, which was referenced to from the main<br />

configuration. The act <strong>of</strong> tagging traffic was done in pretag.map, in which I2B would change the<br />

configuration and focus on the attacking AS and thus give them the detailed in<strong>for</strong>mation they would<br />

require.<br />

See the appendix, chapter 8.5 and it's sub-chapters <strong>for</strong> the configuration.<br />

The amount <strong>of</strong> traffic sent to the Linux machine from the small router turned out to be more than<br />

estimated, however very manageable. Observation showed that close to 20gb <strong>data</strong> was sent per day,<br />

all <strong>of</strong> it being flow <strong>data</strong>. Considering that the only thing being sent is the header in<strong>for</strong>mation itself<br />

and that a TCP header is only 20 bytes in size, this amounts to quite a lot <strong>of</strong> <strong>data</strong>.<br />

4.3.2 Storing the <strong>data</strong> – solution<br />

MySQL was configured with a default configuration with the decision that a default configuration<br />

would suffice, given the approximated small load. Fine-tuning <strong>for</strong> optimal per<strong>for</strong>mance was<br />

there<strong>for</strong>e not necessary. A graphical front end called phpMyAdmin was however installed to help<br />

visualize the collected <strong>data</strong>.<br />

The computer hardware turned out to be more than sufficient, after both testing and hearing about a<br />

case-study peering at AS286 in which pmacct was running on a dual-core CPU with 4GB RAM and<br />

collecting <strong>data</strong> from a 250+ Gbps routing-domain [53].<br />

33

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!