rorPekflowSP网络流量清洗分析产品.ppt

1、Arbor Peakflow SP网络流量分析产品,Hunter Dong 董波, Solution ArchitectCCIE 11477,2,Arbor Peakflow SP CP 异常检测,议程,Arbor Peakflow SP CP - 流量统计分析TR,Arbor Peakflow SP TMS 流量清洗,Introduction to Arbor,Introduction to Arbor 电信用户需求与产品亮点,3,Arbor致力于网络流量分析与安全领域,Solid Technology Base 起源于Cisco在密西根大学投资的实验室 16项专利

2、技术 Solid Financial Base 注册资金3,300万美元 销售额每年成翻倍增长; 在04年达到230% Solid Market Base Arbor 平台产品在全球100家以上的客户 多数为一级运营商和大型企业 Strategic Partnerships include:,4,Education,MSO,Enterprise,Tier 1,Tier 2/ISP/Hosting,Customers: Americas,Government,5,EMEA,Asia Pac,Customers: EMEA and APAC,6,国内运营商案例,7,企业级用户,140+ custo

3、mers worldwide including:,8,Peakflow SP Platform,Peakflow|SP,异常检测 DoS/worm detection Traceback Analysis Mitigation,统计分析 Routing management Transit/peering mgmt Customer accounting Backbone mgmt,Infrastructure security, intelligent traffic analysis, managed DoS protection,for service providers,9,议程,I

4、ntroduction to Arbor 电信用户需求与产品亮点,10,用户需求与产品亮点,骨干网络网管系统 全国骨干/省网/城域网, 链路分析/ Peer 分析/网络优化与规划 业务网络检测 IDC 网络安全分析 异常流量的发现与清洗 Managed Service 增值化IP服务,11,针对潜在宽带客户的流量分析-智能决策的依据,该客户流入网通的流量是多少? 去了哪里? Top talker 是谁? 流量模型是什么?应用?忙时? 以怎样的优化部署方案去吸引客户? 怎样发挥现有的优势, 实现自身网络资源利用最大化?,与新客户会面前的家庭作业,12,针对现有宽带客户的流量分析-智能决策的依据,

5、差异化的服务有那些? 安全服务SLA DDoS流量清洗 Managed Service Portal的实现 分布式部署的优化设计 历史数据的发掘,留住老客户的法宝 - 低价? 还是高质!,Service Offering Example:Network-Based DDoS Detection,Benefits Support multiple customers on shared Peakflow devices Share capacity in-the-cloud Multiple attack mitigation options Customizable customer-faci

6、ng portal for anomaly reporting Product Peakflow SP CP Peakflow SP MS,Service Offering Example:Intelligent Traffic Reporting,Benefits Support multiple customers on shared Peakflow devices Customer-facing portal for customer breakdowns, top talkers, & business-centric reports Network-wide reports for

7、 scoped customers Product Peakflow SP CP Peakflow SP MS,Service Offering Example:Worm Detection and Reporting,Benefits Worm detection in-the-cloud and at network borders Track known worms on a per-customer basis Download worm signatures Enablers Peakflow SP CP Peakflow SP MS,Service Level Offering B

8、reakout,Bronze,24x7 Address Monitoring Plus 3 additional critical site/resources Notification on yellow & red alerts for the specified critical resources Availability SLA On red alerts Bandwidth saturation Treatment in 60 minutes Automated Traffic & Event Reporting 5 per customer in PDF or XML Repor

9、t types: Anomalies, Top Talkers, Bandwidth Utilization, Application Breakdown,Service Level - Gold,Bronze,Service Availability Monitoring for Customers backed by SLAs,Automated Weekly Reports,Bronze,Customized Customer Portal Event Analysis High/Medium/Low Bandwidth Distribution Worm Tab Real-time r

10、eport Generation: Top Talkers, Protocol Utilization, Application Breakdowns Customize Profile Generation: Per site/Application breakdowns ACL change request 3 per month for Low/Medium Alerts Fingerprint Generation Alert Specific Automated Security & Abuse Related Reports,Service Level - Silver,On-Ne

11、t Portal and Customized Views,Bandwidth & Protocol Analysis,Automated Alerting and Notification,Bronze,Customer-initiated Mitigation Blackhole Infrastructure Integration Mitigation Device Customer Controlled Alert specific activation Level 3 expertise not required Service Provider SLA ensures availa

12、bility even when the customer is resting,Service Level - Brone,25,议程,Arbor Peakflow SP CP - 流量统计分析TR,26,Peakflow SP Platform,Peakflow|SP,异常检测 DoS/worm detection Traceback Analysis Mitigation,统计分析 Routing management Transit/peering mgmt Customer accounting Backbone mgmt,Infrastructure security, intel

13、ligent traffic analysis, managed DoS protection,for service providers,27,Arbor支持流量数据格式,NetFlow V1、V5、V7、V8、V9格式的流量数据 Arbor网络公司的Peakflow SP系统支持工业标准的Netflow/Cflow/Sflow/Netstream，从而能够对业界主流设备厂商进行良好的支持，包括： Cisco (Netflow) Juniper/Alcatel (Cflow) Foundry(Sflow) Huawei(Netstream) Avici(Netstream),28,P R O

14、 V I D E R B A C K B O N E,Peering Point #2,Peering Point # 3,Collector,Collector,Controller,Netflow/BGP/SNMP,网络结构,Peering Point # 1,Netflow/BGP/SNMP,Netflow/BGP/SNMP,SSL,HTTPS,29,Peakflow SP 系统的性能,支持时实性分析全网关联的流量分析。 采用分布式处理结构，全网路由器数目无上限。 曾经在北美商用网络中存在全网超过150台路由器、实际控制路由器全为GSR等级设备的案例。 实际上用网络中存在控制端口为OC-

15、192， 40G/slot的 T-640系列路由器的案例。,30,系统状态监控,流量分析设备运行情况 各台设备的CPU/Memory/Disk/Flow/Serial Number 路由器情况 路由器CPU/Memory/Flow 路由器端口情况 端口描述/端口类型/端口流量（SNMP） 系统日志 Netflow/SNMP结果对比 BGP路由表监控 全球路由表条目/稳定性/路由条目/Prefix长度分析,31,网络中的流量类型,32,流量分析系统的监控范围,电信运营商全网的整体流量分析 电信运营商路由器流量分析 电信运营商路由器端口流量分析 电信运营商业务流量分析（WWW/IPTV/P2P/I

16、Phone） 电信运营商大客户流量分析 电信运营商与其他互联运营商流量分析 电信运营商网络内部其它特定条件流量分析,33,数据分析报告,基于BPS和PPS 为目标分析对象提供数据报告 基于目标分析对象提供： IP层协议 业务以及应用 （TCP, UDP port numbers, ICMP type and IPv6）. AS distances and AS paths BGP ASN （peer, all and origin） BGP Community and prefix AS间穿越流量 内部和外部的热点信息源 Packet Size Qos Raw flow Etc.,34,灵活的

17、自定义过滤条件,路由器端口 协议/应用端口 IP地址段 cidr_blocks /24,/24 AS PATH（与Cisco路由器配置相同） asregexp (| )4134_(3257|3320|12956|28910|12365)( |$) Community community 3250 community 4134:3302 Peer match set peer_as 18245 组合条件（与/或/非） community 4:20 and aspath _22400_ 源/目的 dst net /24,3

18、5,系统报表,支持实时/平均/最大值/PCT95流量查询 三年任意时间段流量查询 支持折线图/饼图/柱状图 能够按照入/出/总流量等多种方式排序 支持EXCEL/CSV/XML/PDF等方式下载报表,36,“High light” Feature & Function,支持路由表更新及稳定性查询 路由器端口自动分级，减轻操作人员的工作量 支持端口流量准确性比率查询 混合业务应用端口绑定（TCPUDP ） 允许用户自定义登录缺省菜单 支持MPLS/IPv6/QOS Etc.,37,MPLS,Traditional NetFlow for IP to MPLS traffic,PE,P,PE,MP

19、LS 流量 业务类型统计,Traffic Flow,IP,IP,Egress MPLS NetFlow Accounting for MPLS to IP traffic,MPLS Aware NetFlow (version 9),业界唯一支持MPLS的厂家,38,支持多类型QOS分析,Business Benefits to IDC,Lower Total Cost of Ownership (TCO) Expensive to manage multiple products. Reduction in overall capital expenditures and training

20、costs. Offer “clean pipes” to all customers Detect and stop attacks that affect all customers from the smallest T1/E1 customers to the largest enterprises. Reduce operational costs for customers who suffer outages from attacks. Increase customer satisfaction and reduce customer churn Address hotspot

21、s on all circuits before they affect business services. Reduce SLA credits because of outages. Roll out new differentiated managed services Differentiate DDoS Protection and MPLS VPN services for customers. Create new revenue streams.,Peakflow SP CP Deployment,Peering Edge & Backbone Visibility,Broa

22、dband Edge,IDC,Provider C,Backbone,Provider B,Provider A,Peering Edge,CP-CP Comm.,CP Device,Multiple Value Propositions Traffic & Routing Analysis Traffic Engineering Reduce Transit Expense Inter-Provider Problem Tracking & Resolution Managed Service Enabler,Customer: T-Com, a division of Deutsche T

23、elekom (DT) Description: DT was hosting the 2006 World Cup on: FIFA DT & T-Com were existing Peakflow SP customers. (products deployed on peering edge and backbones) Concerned with detection of network attacks originating from within their network. (customer-to-customer attacks) T-COM Partnered with

24、 Arbor: Deployed Peakflow SP Flow Sensor products closer to customer edge. ASERT trained members of T-Com CERT on botnet detection and mitigation using Peakflow SP solution. Results: No major disruptions of World Cup websites or DT brand.,Peakflow Win Case,42,Arbor Peakflow SP CP 异常检测,议程,43,Peakflow

25、 SP IS工作原理,Detect: Peakflow DoS Collectors create and forward unique anomaly fingerprints to Peakflow DoS Controllers.,Trace: Peakflow DoS Controllers then quickly trace the attack to its source.,Filter: Peakflow DoS Controller recommends filters (X), which the network engineer can implement to stop

26、 the attack before it brings down key routers, firewalls and IDS solutions, or the entire network.,Collector,Collector,Controller,Customer Site: Web Servers DNS Servers Database Servers,Firewall,IDS,Service Provider A,Service Provider C,Service Provider B,44,运营商所关心的异常流量类型,电信运营商所关注的异常流量对基础网络的影响主要体现在两

27、个方面： 占用带宽资源使网络拥塞，造成网络丢包、时延增大，严重时可导致网络不可用； 占用网络设备系统资源（CPU、内存等），使网络不能提供正常的服务。,45,运营商所关心的异常流量类型,拒绝服务攻击（DoS） 分布式拒绝服务攻击（DDoS） 网络蠕虫病毒（Worm） 其他类型异常流量,46,Peakflow SP IS 监测机制,Peakflow SP IS通过以下三种异常类型对网络中的异常流量行为进行监测: Profiled Anomalies deviations from normal traffic levels on the network（基线检测） Misuse Anomalie

28、s Traffic towards specific hosts that exceed what should normally be seen on a network（服务滥用检测） Fingerprint Anomalies Traffic that fits a user specified signature（指纹技术检测） Fingerprint Sharing,ATF（Active Threats Feed） 活跃威胁供给数据库,47,Worm Signatures - Infected Hosts,选择蠕虫类型,感染主机列表,48,深入分析,严重程度 起/止时间 持续时间 异

29、常类型 出/入网方向 源/目的地址 协议号 源/目的端口,TCP flag 信息 包大小 攻击入/出的设备端口 影响的网络设备 攻击流量的统计图 平均速率 最大速率等信息,Peakflow SP IS 基于每一条“异常”能够提供：,49,异常及攻击分类,50,深入分析,51,攻击缓解方法,访问控制列表(Access Control List Entries)： 根据不同的威胁， 这些ACLs 能被用于网络范围里任何节点上， 从对小型攻击来讲用户汇聚的路由器，到针对路由基础设施攻击的对等路由器接口。 速率限制： 针对在某些网络节点上相对于攻击不变量关系的流量组别的速率限制。 Blackhole：

30、 在网络的具体节点上注入无效路由把目的IP 地址或者源IP 地址流量转移到“黑洞”里。 与第三方智能过滤设备相配合 ,52,Enterprise A,Enterprise C,与智能过滤设备配合,Peering Point,Core Router,POP,Hardware Filtering Cluster,4 Identify and filter the malicious,Arbor Peakflow,Arbor Peakflow,POP,Peering Point,Core Router,Enterprise B Targeted,53,查询,54,Peakflow SP IS的功能优

31、势,智能自动监测整个网络（建立动态基线）。 对用户关心特殊区域及流量进行重点监测。 利用Fingerprint技术，抓出典型异常流量行为，节省系统资源。 发现、检测网络内部异常流量以及攻击，准确定位攻击源头，减轻异常流量对网络的影响。 智能的异常流量网络管理平台。,对所有已知的或未知的攻击和病毒 均能准确的进行捕捉,55,议程,Arbor Peakflow SP TMS 流量清洗,56,整合流量清洗的需求,深层分析应基于包分析技术 适合复杂的网络环境，并提供丰富的应用层流量分析报告 监测和防范日益增长的网络威胁 提供和基础网络的无缝连接，易于部署 更好的为维护部门提供可靠的数据依据 提供基于业务流量的控制功能 能够对异常流量进行深层过滤,57,Peakflow SP TMS（ Threat Management