23C3 - 1.5
23rd Chaos Communication Congress
Who can you trust?
| Speakers | |
|---|---|
|
Arien Vijn |
| Schedule | |
|---|---|
| Day | 3 |
| Room | Saal 3 |
| Start time | 14:00 |
| Duration | 01:00 |
| Info | |
| ID | 1640 |
| Event type | Lecture |
| Track | Hacking |
| Language | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
A 10GE monitoring system
Hacking a 10 Gigabit Intrusion detection and prevention system into a network troubleshooting tool.
Capturing network packets is a valuable technique for troubleshooting network problems. Capturing at network speeds less, or up to one gigabit per second is feasible with a fast general purpose computer hardware.
But that hardware is to slow for Ten gigabit per second ethernet (10GE). Hence, special hardware is required.
This topic describes the modification of a commercially available 10GE networks security system, into a network analyser.
Who can you trust? - Nobody, when it come to trouble-shooting network issues at an internet exchange point. An Internet Exchange (IX) operates by definition in-between different network providers. These providers are often competitors, each with their cultural and technical differences.
Troubleshooting network issues at an IX involves at least three parties. Namely, the internet exchange operator and two or more ISPs. Each with its own systems, knowhow, procedures and culture. Such an environment is very different from networks were operators have control over the network components.
Therefore an internet exchange operator must be able to identify and isolate network problems, without relying too much on the other parties involved, while the exchange stays in full operation. For this, the technique of passive monitoring - watching the traffic as it passes by - has proven to be extremely valuable.
Passive monitoring for speeds less than 1 Gbps is possible with a fast general purpose computer and generic NICs. Numerous open source applications have been made for this. Ten gigabit per second ethernet (10GE) is another game. Special hardware is required to achieve that.
The Amsterdam Internet Exchange (AMS-IX) modified Force10's P10 system to monitor 10GE connections. This system was originally designed for security applications at 10GE wire speeds. But since it is build around programmable logic, it is possible to adapt it to a useful trouble-shooting tool. Such a tool has the following features:
- Ad-hoc filtering on the ethernet layer, IDS applies to the higher network layers.
- Programmable counters, it is not always needed to grep the frames. Counting events is often just as useful.
- Sampling, the possibility to randeomly grep frames for analysis. Useful when the exact nature of the issue is unknown.
- Triggering and filtering on checksums. IDS system only filters on patterns.
- Triggering and a history buffer, the possibility to capture frames transmitted before and after a certain condition was met.