Building a Better NetFlow: Technical Report

Network operators need to determine the composition of the trac mix on links when looking for dominant applications, users, or estimating trac matrices. Cisco’s NetFlow has evolved into a solution that satises this need by reporting o w records that summarize a sample of the trac traversing the link. But sampled NetFlow has shortcomings that hinder the collection and analysis of trac data. First, during o oding attacks router memory and network bandwidth consumed by o w records can increase beyond what is available; second, selecting the right static sampling rate is dicult because no single rate gives the right tradeo of memory use versus accuracy for all trac mixes; third, the heuristics routers use to decide when a o w is reported are a poor match to most applications that work with time bins; nally, it is impossible to estimate without bias the number of active o ws for aggregates with non-TCP trac. In this paper we propose Adaptive NetFlow, deployable through an update to router software, which addresses many shortcomings of NetFlow by dynamically adapting the sampling rate to achieve robustness without sacricing accuracy. To enable counting of non-TCP o ws, we propose an optional Flow Counting Extension that requires augmenting existing hardware at routers. Both our proposed solutions readily provide descriptions of the trac of progressively smaller sizes. Transmitting these at progressively higher levels of reliability allows graceful degradation of the accuracy of trac reports in response to network congestion on the reporting path.

[1]  Anja Feldmann,et al.  Deriving traffic demands for operational IP networks: methodology and experience , 2000, SIGCOMM.

[2]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[3]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2003, SIGCOMM '03.

[4]  Nicolas Hohn,et al.  Inverting sampled traffic , 2003, IMC '03.

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Philippe Flajolet,et al.  Adaptive Sampling , 1997 .

[7]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.

[8]  kc claffy,et al.  The architecture of CoralReef: an Internet traffic monitoring software suite , 2001 .

[9]  Carsten Lund,et al.  Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure , 2003, IMC '03.

[10]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[11]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation , 1992 .

[12]  Nevil Brownlee,et al.  Traffic Flow Measurement: Architecture , 1999, RFC.

[13]  Zhi-Li Zhang,et al.  Adaptive random sampling for load change detection , 2002, SIGMETRICS '02.

[14]  Steven McCanne,et al.  Receiver-driven layered multicast , 1996, SIGCOMM '96.

[15]  Rajeev Motwani,et al.  Random sampling for histogram construction: how much is enough? , 1998, SIGMOD '98.

[16]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[17]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[18]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[19]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[20]  Theodore Johnson,et al.  Gigascope: a stream database for network applications , 2003, SIGMOD '03.