Μελέτη πρωτοκόλλου IPFIX και προσομοίωσή του με τη χρήση OPNET

Δάβρη, Ελένη-Κωνσταντίνα

20 October 2010

Ο σκοπός της διπλωματικής εργασίας ήταν η ανάπτυξη εφαρμογής για την προσομοίωση, με χρήση του προγράμματος προσομοίωσης OPNET της λειτουργίας του πρωτοκόλλου IPFIX που χρησιμοποιείται για τη συλλογή και την προώθηση δικτυακών δεδομένων στους σταθμούς διαχείρισης του δικτύου. Το πρωτόκολλο αυτό βοηθάει τους διαχειριστές του δικτύου να παρακολουθήσουν «monitoring» την ροή των δεδομένων εντός του δικτύου. Το πρώτο μέρος της εργασίας περιέχει την μελέτη και την ανάλυση της λειτουργίας του πρωτοκόλλου αυτού σε θεωρητικό επίπεδο με σκοπό την κατανόηση της ανάγκης ύπαρξης ενός ομοιόμορφου προτύπου για την εξαγωγή πληροφοριών από δικτυακές συσκευές. Ταυτόχρονα γίνεται εκτενής αναφορά στο διαδεδομένο Netflow της εταιρείας Cisco πάνω στο οποίο είναι βασισμένο το Πρωτόκολλο Εξαγωγής Πληροφοριών Ροής Ipfix. Στο δεύτερο μέρος της διπλωματικής παρατίθεται η ανάπτυξη ενός δικτύου με σκοπό να επεξηγήσουμε τον τρόπο με τον οποίο παρατηρούνται τα δεδομένα μέσα σε αυτό. Η εκτέλεση της εφαρμογής για διαφορετικά είδη κίνησης και διαφορετική ένταση κίνησης ή και για διαφορετικό τρόπο συλλογής των δεδομένων στο OPNET επιτρέπει την εξαγωγή χρήσιμων συμπερασμάτων για το κόστος και την επίδοση του πρωτοκόλλου. / The goal of this diploma thesis is the development of an application in order to simulate the function of the IPFIX Protocol, which is used to collect and transmit network data to the network management stations. For this purpose OPNET (Optimized Network Engineering Tools) was used. Briefly, IPFIX helps network managers to monitor the flow of data within the network. Throughout the first part of this dissertation emphasis is given to the study and analysis of the protocol in theory, and this way the need for a protocol that is in charge of extracting information out of network devices is underlined. In addition, extensive coverage of the widespread Cisco Netflow protocol has been made since IPFIX is based on it. Throughout the second part of this dissertation a network is presented in order to explain the way data is observed within it. The execution of the application for different, kinds of traffic, traffic intensity and ways of collecting data, using OPNET, enables us to export useful conclusions considering cost and performance of the protocol.

Διαχείριση δικτύων

004.62

IPFIX

Network management

Detekce těžení kryptoměn pomocí analýzy dat o IP tocích / Detection of Cryptocurrency Miners Based on IP Flow Analysis

Šabík, Erik

January 2017

This master’s thesis describes the general information about cryptocurrencies, what principles are used in the process of creation of new coins and why mining cryptocurrencies can be malicious. Further, it discusses what is an IP flow, and how to monitor networks by monitoring network traffic using IP flows. It describes the Nemea framework that is used to build comprehensive system for detecting malicious traffic. It explains how the network data with communications of the cryptocurrencies mining process were obtained and then provides an analysis of this data. Based on this analysis a proposal is created for methods capable of detecting mining cryptocurrencies by using IP flows records. Finally, proposed detection method was evaluated on various networks and the results are further described.

Interaktivní webové rozhraní pro zobrazení ip flow dat / Interactive Web Interface for IP Flow Data

Salač, Radek

January 2012

This thesis describes development of application for analyzing IP flow data.    The author conducts relative comparison of already existing protocols and tools and studies theirs pro's and con's.    Based on this comparison and features requested by users,    author develops his own application primarly focused on interactive and user-friendly interface for working with IP flow data.

Monitorování a účtování spojení v sítích IMS / Session Monitoring and Accounting in IMS Networks

Karpíšek, Filip

January 2015

This thesis describes protocols used in IP Multimedia Subsystem (IMS) networks. Freely available implementations of IMS system are described. The main goal is to describe design and implementation of a tool for analyzing communication between users and IMS system. The tool seeks and decodes signaling messages. These messages are analyzed for information about sessions which are necessary for session monitoring and accounting. Final gathered information are exported in a form of extended NetFlow/IPFIX records. We used open-source Open IMS Core implementation for building IMS network and creating test data. As endpoints we used another open-source application for Android OS called IMSDroid.

Návrh architektury sondy pro monitorování síťových toků / Design of Probe for Flow Based Monitoring

Soľanka, Lukáš

Unknown Date

This thesis deals with design and implementation of a flow based monitoring probe. The monitoring task performed by the probe is divided into hardware layer, which is capable of measurement at high packet rates, and software layer, which provides large memory for flow storage. Analysis done in the work shows that this concept offers many advantages when compared to software based flow monitoring applications. The probe is designed to be used with a hardware accelerator card and offers high flexibility and performance by a way of user defined monitoring process. The designed system has been implemented and thoroughly tested and is ready for deployment for tasks such as  operational monitoring, network traffic classification, anomalies and attacks detection and many others.

Bezpečnostní analýza síťového provozu / Security inspection of network traffic

Kult, Viktor

January 2017

Thesis topic concerns the issue of information security in corporate environments. Literature search includes information obtained by studying articles and literature in the field of information security. Resources were selected with a focus on the security risks, security technologies and legislative regulation. Attention is focused on technology that supports monitoring of communication flows in the data network. Overview of traffic operating a data network provides important information for the prevention or investigation of security incidents. Monitoring also serves as a source of information for the planning of the network infrastructure. It can detect faults or insufficient transmission capacity. The practical part is dedicated to implementation of the monitoring system in the real corporate networks. Part of the experience is the analysis of the network structure and choice of appropriate tools for actual implementation. When selecting tools, you can use the scoring method of multicriterial analysis options. The integration of the monitoring system is also the configuration of active network elements. Subsequent analysis of network traffic provides information about the most active users, most used applications or on the sources and targets of data transmitted. It provides a source of valuable information that can be used in case of failure on the network or security incident. The conclusion is a summary of the results and workflow.

Efektivní detekce síťových anomálií s využitím DNS dat / Effective Network Anomaly Detection Using DNS Data

Fomiczew, Jiří

January 2015

This thesis describes the design and implementation of system for effective detection of network anomaly using DNS data. Effective detection is accomplished by combination and cooperation of detectors and detection techniques. Flow data in NetFlow and IPFIX formats are used as input for detection. Also packets in pcap format can be used. Main focus is put on detection of DNS tunneling. Thesis also describes Domain Name System (DNS) and anomalies associated with DNS.

Aplikační rozhraní pro práci s netflow daty / Netflow Data Application Interface

Šoltés, Miroslav

January 2013

This diploma thesis deals with design and implementation of NetFlow data manipulation tool. It contains analysis of IP Flow network monitoring, description of nfdump tool and format of Netflow v9 records saved by nfdump. The focus of this application interface lies in effective manipulation with NetFlow records.

Distribuované zpracování dat o IP tocích / Distributed Processing of IP flow Data

Krobot, Pavel

January 2015

This thesis deals with the subject of distributed processing of IP flow. Main goal is to provide an implementation of a software collector which allows storing and processing huge amount of a network data in particular. There was studied an open-source implementation of a framework for the distributed processing of large data sets called Hadoop, which is based on MapReduce paradigm. There were made some experiments with this system which provided the comparison with the current systems and shown weaknesses of this framework. Based on this knowledge there was created a specification and scheme for an extension of current software collector within this work. In terms of the created scheme there was created an implementation of query framework for formed collector, which is considered as most critical in the field of distributed processing of IP flow data. Results of experiments with created implementation show significant performance growth and ability of linear scalability with some types of queries.

Účtování uživatelů v sítích nové generace / User accounting in next generation networks

Grégr, Matěj

January 2016

Velikost sítě Internet dosáhla takového rozměru, že globálně jednoznačná adresace všech připojených zařízení již není možná při zachování současné architektury TCP/IPv4. Tímto problémem se začalo zabývat již v 90. letech a od té doby bylo představeno několik návrhů nových architektur a síťových protokolů, které mají či měly ambice omezení adresace vyřešit. V současné době, v roce 2016, je jediným globálně nasazovaným řešením problému adresace protokol IPv6. Tento protokol zvětšuje velikosti síťové adresy čímž umožňuje adresovat téměř libovolné množství zařízení, ovšem za cenu nekompatibility se současným protokolem IPv4. Rozdílně se také staví ke způsobu automatické konfigurace koncových zařízení, proměnlivé velikosti síťové hlavičky a omezení nekompatibility řeší různými přechodovými mechanismy. Tato práce diskutuje dopady, které tyto změny mají na oblast monitorování a účtování uživatelů. Zejména změny způsobu konfigurace adresy vyžadují jiný přístup než v současných monitorovacích systémech, které ukládají pouze metadata o síťové komunikace pomocí protokolu NetFlow/IPFIX. Práce je zaměřena primárně na vyřešení problému účtování uživatelů v sítích kde jsou souběžně nasazeny protokoly IPv4 i IPv6, použity tunelovací přechodové mechanismy nebo překlad adres. Část práce je za- měřena na měření globálního vývoje a nasazení protokolu IPv6 mezi koncovými poskytovateli internetového připojení, poskytovateli obsahu a páteřními operátory.