2006.02.14 talk 3 Flamingo netflow visualization

Manish (from BGP Inspect project from Merit)
bgpinspect.merit.edu:8080

He'll be talking later at the Tools BOF as well
apparently.

Introduction: What is Flamingo?
Visualization
The Flamingo Tool
 combining visualizations with controls
Case Studies
 traffic anomaly
 network scans
 worm traffic
 P2P traffic
 the slashdot effect.


The tool has been under development for a year;
John, in audience, and Mike (now employed) have
been working on it as undergrads.

It's just a view into netflow, no filters or
adjustment of data
it's just a visualization system.
client/server architecture

a single server can support multiple clients

Visualation methods
5 different views
extended quad tree implementation
 volume by src/dst IP prefix
 volume by src/dst AS

Basic quad tree
represent 32bit IP address into fixed space.
4 areas representable by 2 bits.  Keep splitting
16 times, you represent 32 bit address in 2D
mapping.

convert it into 3 dimension, have an axis of
freedom to represent additional info.

So one side is the quad tree, the Z axis is volume
of traffic, so you can see relative volumes.

nice slide showing visualization of the traffic
flow patterns.

Can show traffic flows aggregated by src/dst IP;
now there's 2 surfaces needed on the cube, so they
use line thickness between the surfaces to show
flow sizes between ASes.

last visualization incorporates port info as well
But since there's only one axis left;
so now port level info is on z axis.
so IP/port is X1Y1Z1; same for dest IP and port.
Once there are coordinates, the line can be drawn,
scale the width based on the volume, and now you
have the full info in one view.

Same colour used to represent traffic from the
same source ntuple.

combine 2D and 3D representation of data to help
keep yourself oriented.

They have text representatiosn of information,
same as visual data, but in text form.
Slider bars allow thresholding of what gets
displayed, to prevent clutter; only over a certain
size, or only certain ports, etc.

Can also apply labels to help pull information out
for fast refrence.

You can also restrict the address space you care about
to only look at certain subnets.

Case study: Traffic anomaly sunday Oct 16, 2005

large burst of traffic from one host at umich,
lasted 6 hours, four targets, not widely
distributed, it was UDP traffic.
Was visible in normal view.
from 12pm to 6pm.
visible on main view, zoomed in, and the 4 million
flows show as a huge block.
going to src/dest view lets you see where the traffic
is going.
adding the port info, and you see the entire port
space is being sprayed.

Another case study--worm traffic doing port 42 scans
a fan view on the graph, highly visible.

An artificial case study, a host scanning a /24
subnet

SSH scans also show up as many many ports probing
a single port; a reverse fan.

Slashdot effect on campus Oct 31 2004; have before
and during pictures showing the huge traffic swing.

Zotob worm infection;
random destination IPs, but same port, coming from
same host, cone effect.

P2P traffic; single host with multiple connections
to different destinations, significant volume to each.

Darkspace traffic visualizations show nothing but
scans, show up really dramatically.

Conclusion
The Flamingo Visualization Tool provides users with
the ability to easily explore and extract meaning
information regarding traffic flows in their network.

More will be discussed at the Tools BOF this afternoon.

http://flamingo.merit.edu/

Break now, come back at 10:50.  Someone left a jacket
at the Yahoo party with a digital camera; describe it
to the registration desk to get it back.