Network Security Monitoring with Flow DataAnomaly Detection & DDoS Protection

Pavel Minařík, Chief Technology Officer

What is Flow Data?

Modern network telemetry data, supported by many vendors

Cisco standard NetFlow v5/v9, IETF standard IPFIX

Focused on L3/L4 information and volumetric parameters

Real network traffic to flow statistics reduction ratio 500:1

Flow data

Flow-Based Traffic Analysis

Network as a sensor concept (and enforcer) blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer

Bridges the gap left by signature-based security

Key technology for incident response

Designed for multi 10G environment

Statistical analysisVolumetric DDoS detection

Advanced data analysis algorithmsDetection of non-volumetric anomalies

DDoS Anomaly detection

DDoS Protection on Backbone

Backbone perimeter specifics Multiple peering points – routers & uplinks Large transport capacity – tens of gigabits easily In-line protection is close to impossible!

Flow-based detection and out-of-path mitigation Easy and cost efficient to deploy in backbone/ISP Prevents volumetric DDoS to reach enterprise perimeter

flow export1. Flow collection2. DDoS detection3. Routing control4. Mitigation control

Out-of-Path Mitigation

InternetService Provider Core

Flow Data CollectionLearning Baselines

Attack

Anomaly DetectionMitigation

Enforcement

Scrubbing center

Attack path Clean path

Traffic Diversion viaBGP Route Injection

Dynamic Protection Policy Deployment incl. baselines and

attack characteristics

Protected Object 1e.g. Data Center,Organization, Service etc…

Protected Object 2

BGP Flowspec Mitigation

InternetService Provider Core

Flow Data CollectionLearning Baselines

Attack

Anomaly DetectionMitigation

Enforcement

Protected Object 1e.g. Data Center,Organization, Service etc.

Protected Object 2

Sending specific Route advertisement via BGP FlowSpec

Dynamic signature: Dst IP: 1.1.1.1/32Dst Port: 135

Protocol IP: 17 (UDP)Discard

Dropped traffic for Dst IP: 1.1.1.1/32 Dst Port: 135

Protocol IP: 17 (UDP)

Dst port: 135 48

Dst port: 135 48

!

!

Anomaly Detection on Backbone

Ano

mal

y D

etec

tion

Machine Learning

Adaptive Baselining

Heuristics

Behavior Patterns

Reputation Databases

Sample Anomaly Detection Report

Focus on Indicators of Compromise

Provided by ISP to Enterprise Customers

Flowmon Networks a.s.Sochorova 3232/34 616 00 Brno, Czech Republicwww.flowmon.com

Thank youPerformance monitoring, visibility and security with a single solution

Pavel Minařík, Chief Technology Officer

pavel.minarik@flowmon.com, +420 733 713 703