23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Speakers
Arien Vijn
Schedule
Day 3
Room Saal 3
Start time 14:00
Duration 01:00
Info
ID 1640
Event type Lecture
Track Hacking
Language English
Feedback

A 10GE monitoring system

Hacking a 10 Gigabit Intrusion detection and prevention system into a network troubleshooting tool.

Capturing network packets is a valuable technique for troubleshooting network problems. Capturing at network speeds less, or up to one gigabit per second is feasible with a fast general purpose computer hardware.

But that hardware is to slow for Ten gigabit per second ethernet (10GE). Hence, special hardware is required.

This topic describes the modification of a commercially available 10GE networks security system, into a network analyser.

Who can you trust? - Nobody, when it come to trouble-shooting network issues at an internet exchange point. An Internet Exchange (IX) operates by definition in-between different network providers. These providers are often competitors, each with their cultural and technical differences.

Troubleshooting network issues at an IX involves at least three parties. Namely, the internet exchange operator and two or more ISPs. Each with its own systems, knowhow, procedures and culture. Such an environment is very different from networks were operators have control over the network components.

Therefore an internet exchange operator must be able to identify and isolate network problems, without relying too much on the other parties involved, while the exchange stays in full operation. For this, the technique of passive monitoring - watching the traffic as it passes by - has proven to be extremely valuable.

Passive monitoring for speeds less than 1 Gbps is possible with a fast general purpose computer and generic NICs. Numerous open source applications have been made for this. Ten gigabit per second ethernet (10GE) is another game. Special hardware is required to achieve that.

The Amsterdam Internet Exchange (AMS-IX) modified Force10's P10 system to monitor 10GE connections. This system was originally designed for security applications at 10GE wire speeds. But since it is build around programmable logic, it is possible to adapt it to a useful trouble-shooting tool. Such a tool has the following features:

  • Ad-hoc filtering on the ethernet layer, IDS applies to the higher network layers.
  • Programmable counters, it is not always needed to grep the frames. Counting events is often just as useful.
  • Sampling, the possibility to randeomly grep frames for analysis. Useful when the exact nature of the issue is unknown.
  • Triggering and filtering on checksums. IDS system only filters on patterns.
  • Triggering and a history buffer, the possibility to capture frames transmitted before and after a certain condition was met.
Not all features have been realized at this moment. But there is enough to compile an interesting presentation on what has been achieved. How that is done and the design for the missing features. Lecture and paper consists of three parts, namely: 1. Introduction to the role of an internet exchange (IX). This will not be marketing for AMS-IX. It is needed to place things into context. 2. The problem to be solved. This can be clarified with some real life examples in the lecture. 3. The chosen solution for that problem. Consisting of the Force10's P10 IDS/IPS card with modified firmware in combination with photonic cross connects (all optical switches). This will be the main part of both lecture and paper.