Network Traffic and Security Monitoring

Using ntopng

Luca Deri <[email protected]>

@lucaderi


© 2017 - ntop.org
 Outlook
• What are the main activities of ntop.org ?
• ntop’s view on network monitoring.
• From ntop to ntopng.
• ntopng architecture and design.
• ntopng as a flow collector
• Exploring system activities using ntopng
• Using ntopng.
• Advanced monitoring with ntopng.
• Future roadmap items.

2
© 2017 - ntop.org
 About ntop.org [1/2]
• ntop develops of open source network traffic
monitoring applications.
• ntop (circa 1998) is the first app we released and
it is a web-based network monitoring application.
• Today our products range from traffic monitoring,
high-speed packet processing, deep-packet
inspection, and IDS/IPS acceleration (snort and
suricata).

3
© 2017 - ntop.org
 About ntop.org [2/2]
• Our software is powering many commercial
products...

4
© 2017 - ntop.org
 ntop Goals
• Provide better, yet price effective, traffic
monitoring solution by enabling users to have
increased traffic visibility.
• Go beyond standard metrics and increase traffic
visibility by analysing key protocols in detail.
• Promote open-source software, while protecting
selected IPRs.
• All commercial ntop tools are available at no cost
for research and education.

5
© 2017 - ntop.org
 ntop’s Approach to Traffic Monitoring
• Ability to capture, process and (optionally)
transmit traffic at line rate, any packet size.
• Leverage on modern multi-core/NUMA
architectures in order to promote scalability.
• Use commodity hardware for producing
affordable, long-living (no vendor lock), scalable
(use new hardware by the time it is becoming
available) monitoring solutions.
• Use open-source to spread the software, and let
the community test it on unchartered places.
6
© 2017 - ntop.org
Motivation For Traffic Monitoring

If you can not measure it,

you can not improve it

Lord Kelvin

7
© 2017 - ntop.org
 What Happens in Our Network?
• Do we have control over our network?
• It’s not possible to imagine a healthy network
without a clear understanding of traffic flowing
on our network.
• Knowledge is the first step towards evaluation of
potential network security issues.
• Event correlation can provide us timely
information bout our network health.

8
© 2017 - ntop.org
 Packets Never Lie
• Packet analysis provide useful information for
understanding:
◦ Network traffic issues.
◦ Network usage not compliant with network policies
(note: firewalls cannot help here).
◦ Performances less than expected.
◦ Potential security flaws.
◦ Ongoing (latent) attacks.
◦ Data breach

9
© 2017 - ntop.org
 Before We Start: ntopng Installation
• Source code

https://github.com/ntop/ntopng


• Distributions

Ubuntu/Debian, FreeBSD…. (included in the distro)

OSX (brew)


• Binary Packages (nightly)


http://packages.ntop.org (Debian/Ubuntu/CentOS,
OSX, RaspberryPI/ARM)
10
© 2017 - ntop.org
 Some History
• In 1998, the original

ntop has been created.
• It was a C-based app

embedding a web server

able to capture traffic

and analyse it.
• Contrary to many tools available at that time,
ntop used a web GUI to report traffic activities.
• It is available for Unix and Windows under GPL.

11
© 2017 - ntop.org
 ntop Architecture

Cisco NetFlow
HTTP/HTTPS RRD
InMon sFlow

12
© 2017 - ntop.org
 ntopng Design Goals
• Clean separation between the monitoring engine
and the reporting facilities.
• Robust, crash-free engine (ntop was not really so).
• Platform scriptability for enabling extensions or
changes at runtime without restart.
• Realtime: most monitoring tools aggregate data (5
mins usually) and present it when it’s too late.
• Many new features including HTML 5-based
dynamic GUI, categorisation, DPI.

13
© 2017 - ntop.org
 ntopng Architecture
• Three different and self-contained components,
communicating with clean API calls.

HTTP
Lua-based Web Reports
Lua API Calls
Users
nDPI-based C++
Data Cache
Monitoring Engine
(Linux) Kernel PF_RING C API Calls

PF_RING Kernel Module Internet

and Drivers Traffic

14
© 2017 - ntop.org
 ntopng Monitoring Engine
• Coded in C++ and based the concept of flow
(set of packets with the same 6-tuple).
• Flows are inspected with a home-grown DPI-
library named nDPI aiming to discover the “real”
application protocol (no ports are used).
• Information is clustered per:
! (Capture) Network Device
! Flow
! Host

15
© 2017 - ntop.org
 Local vs Remote Hosts [1/2]
• ntopng keeps information in memory at different
level of accuracy in order to save resources for
hosts that are not “too relevant”.
• For this reason at startup hosts are divided in:
◦ Local hosts

The local host where ntopng is running as well the hosts
belonging to some “privileged” IPv4/v6 networks. These
hosts are very relevant and thus ntopng keep full statistics.
◦ Remote hosts

Non-local hosts for which we keep a minimum level of
detail.
16
© 2017 - ntop.org
 Local vs Remote Hosts [2/2]
• For local hosts (unless disabled via preferences)
are kept all L7 protocol statistics, as well basic
statistics (e.g. bytes/packets in/out).
• No persistent statistics are saved on disk.
• A system host is the host where ntopng is
running and it is automatically considered local as
well the networks of its ethernet interfaces.

17
© 2017 - ntop.org
 Information Lifecycle
• ntopng keeps in memory live information such as
flows and hosts statistics.
• As the memory cannot be infinite, periodically
non-recent information is harvested.
• Users can specify preferences for data purge:

18
© 2017 - ntop.org
 Packet Processing Journey
1.Packet capture: PF_RING (Linux) or libpcap.
2.Packet decoding: no IP traffic is accounted.
3.IPv4/v6 Traffic only:
• Map the packet to a 6-tuple flow and increment stats.
• Identify source/destination hosts and increment stats.
• Use nDPI to identify the flow application protocol
• UDP flows are identified in no more than 2 packets.
• TCP Flows can be identified in up to 15 packets in total,
otherwise the flow is marked as “Unknown”.
4.Move to the next packet.
19
© 2017 - ntop.org
 PF_RING [1/2]
• In 2004 we realised the the Linux kernel was not
efficient enough to fulfil our packet capture
requirements and thus we have written a in-
kernel circular buffer named PF_RING.
Application A Application Z

Outgoing Packets Userspace

mmap()
Kernel

Read
Socket Socket
Index
(ring) (ring)
Write
Index
PF_RING

Network
Adapter Incoming Packets

20
© 2017 - ntop.org
 PF_RING [2/2]
• It creates a straight path for incoming packets accessed from
user-space applications with memory mapping.
• No need to use custom network cards: any card is
supported.
• Transparent to applications: legacy applications need to be
recompiled in order to use it (pcap-over-PF_RING).
• Developers familiar with network applications can
immediately take advantage of it without having to learn
new APIs.
• Acceleration support for many popular open-source
applications including Wireshark, Suricata and Snort.
21
© 2017 - ntop.org
 Balancing Traffic with PF_RING
• At high speed on modern multi-core systems, it is a
good idea to improve the overall system
performance by balancing traffic across cores.
• PF_RING shares ingress
 Application Application Application Application

packets across multiple


consumer applications
 Clustered
PF_RING
Socket
Clustered
PF_RING
Socket
Clustered
PF_RING
Socket
Clustered
PF_RING
Socket

(e.g. ntopng) by hashing


them (tunnels are supported)

PF_RING

so that they are balanced to multiple consumer

applications via virtual PF_RING network interfaces.
22
© 2017 - ntop.org
Moving towards 10 Gbit and above [1/2]
• The original PF_RING is a good solution up to
3/5 Gbit but not above as the cost of packet copy
into the ring is overkilling. Application
• PF_RING ZC (Zero Copy) is

Application

an extension that allows packets
 Polling

DMA Userland
Kernel

to be received/transmitted
 Accelerated
Cards
in zero copy similar to what
 NIC
Memory

FPGA-accelerated cards (e.g.
 Map FPGA

Napatech) do in hardware. Device Driver

23
© 2017 - ntop.org
Moving towards 10 Gbit and above [2/2]
• In ZC a packet is put by the ingress NIC into a
shared memory buffer, and it hop across
applications (and VMs) by exchanging the buffer
pointer (packets don’t move).
• Thanks to this solution it is possible to create
arbitrary packet processing topologies at
multi-10 Gbit line rate using commodity
hardware x86 servers and adapters (ZC natively
supports Intel ethernet adapters).

24
© 2017 - ntop.org
PF_RING ZC Network Topologies [1/2]
PF_RING/pcap-
based Application
(e.g. ntopng)
Linux Zero Copy
Customer Customer Customer Customer
App App B App C App D
Balancer
PF_RING PF_RING PF_RING PF_RING
ZC ZC ZC ZC

Core 0 Core 1 Core 2 Core 3

Use Case:
1/10G
1/10G Load balancing across ntopng applications.
25
© 2017 - ntop.org
PF_RING ZC Network Topologies [2/2]
Linux Customer Customer
App B App C
Customer Customer
App PF_RING PF_RING App
ZC ZC
PF_RING PF_RING
ZC KVM KVM ZC

Core 0 Core 1 Core 2 Core 3

1/10G 1/10G
Use Case:
Application pipeline or run multiple apps (e.g. ntopng) in VMs to insulate them.
26
© 2017 - ntop.org
 PF_RING (ZC) and ntopng
• Using PF_RING (ZC) with ntopng has several
benefits:
◦ ntopng can scale to 10 Gbit and above by spawning
several ntopng instances each bound to a (few) core(s).
◦ It is possible to send the same packet to multiple apps.
For instance it is possible to send the same packet to
ntopng (for accounting purposes) and n2disk (ntop’s
application for dumping packet-to-disk at multi-10G)
and/or and IDS (e.g. Suricata and snort).

27
© 2017 - ntop.org
 The need for DPI in Monitoring [1/2]
• Limit traffic analysis at packet header level it is no
longer enough (nor cool).
• Network administrators want to know the real
protocol without relying on the port being used.
• Selected protocols can be “precisely
dissected” (e.g. HTTP) in order to extract
information, but on the rest of the traffic it is
necessary to tell network administrators what is
the protocol flowing in their network.

28
© 2017 - ntop.org
 The need for DPI in Monitoring [2/2]
• DPI (Deep Packet Inspection) is a technique for inspecting
the packet payload for the purpose of extracting metadata
(e.g. protocol).
• There are many DPI toolkits available but they are not
what we looked for as:
◦ They are proprietary (you need to sign an NDA to use them), and
costly for both purchase and maintenance.
◦ Adding a new protocol requires vendor support (i.e. it has a high
cost and might need time until the vendor supports it) = you’re
locked-in.
• On a nutshell DPI is a requirement but the market does
not offer an alternative for open-source.
29
© 2017 - ntop.org
 Say hello to nDPI
• ntop has decided to develop its own GPL DPI

toolkit in order to build an open DPI layer for
ntop and third party applications.
• Supported protocols (> 220) include:
◦ P2P (Skype, BitTorrent)
◦ Messaging (Viber, Whatsapp, MSN, The Facebook)
◦ Multimedia (YouTube, Last.gm, iTunes)
◦ Conferencing (Webex, CitrixOnLine)
◦ Streaming (Zattoo, Icecast, Shoutcast, Netflix)
◦ Business (VNC, RDP, Citrix, *SQL)


30
© 2017 - ntop.org
 nDPI Overview
• Portable C library (Win and Unix, 32/64 bit).
• Designed for user and kernel space
◦ Linux ndpi-netfilter implements L7 kernel filters
• Used by many non-ntop projects (eg. xplico.org)
and part of Linux distributions (e.g. Debian).
• Able to operate on both plain ethernet traffic
and encapsulated (e.g. GTP, GRE…).
• Ability to specify at runtime custom protocols
(port or hostname - dns, http, https -based).

31
© 2017 - ntop.org
 nDPI on ntopng
• In ntopng all flows are analysed through nDPI to
associate an application protocol to them.
• L7 statistics are available per flow, host, and
interface (from which monitoring data is
received).
• For network interfaces and local hosts, nDPI
statistics are saved persistently to disk (in RRD
format).

32
© 2017 - ntop.org
nDPI on ntopng: Interface Report [1/2]

33
© 2017 - ntop.org
nDPI on ntopng: Interface Report [2/2]

Live data scrolling

34
© 2017 - ntop.org
 ntopng and Redis [1/2]
• Redis is an open source key-value in-memory
database.
• ntop uses it to cache data such as:
◦ Configuration and user preferences information.
◦ DNS name resolution (numeric to symbolic).
◦ Volatile monitoring data (e.g. hosts JSON
representation).
• Some information is persistent (e.g. preferences)
and some is volatile: ntopng can tell redis how
long a given value must be kept in cache.
35
© 2017 - ntop.org
 ntopng and Redis [2/2]
• Redis is also used as a (persistent) queue for requests
towards external applications.
◦ If configured (-F command line option), periodically flow status is
saved onto a redis queue, requests are packed, and send to a
remote BigData system.


• In essence Redis is used by ntopng to store information

that might take too much memory (if kept on ntopng
memory space), or to pile up list of things that are
executed periodically or that require interaction with
remote applications that might be slow or temporary
unavailable.
36
© 2017 - ntop.org
 Lua-based ntopng Scriptability [1/3]
• A design principle of ntopng has been the clean
separation of the GUI from engine (in ntop it was
all mixed).
• This means that ntopng can (also) be used (via
HTTP) to feed data into third party apps such as
Nagios or OpenNMS.
• All data export from the engine happens via Lua.
• Lua methods invoke the ntopng C++ API in order
to interact with the monitoring engine.

37
© 2017 - ntop.org
 Lua-based ntopng Scriptability [2/3]
• /scripts/callback/

scripts are executed

periodically to perform

specific actions.
• /scripts/lua/ scripts


are executed only by the


web GUI.
• Example:

http://ntopng:3000/lua/flow_stats.lua

38
© 2017 - ntop.org
 `
• ntopng defines (in C++) two Lua classes:
◦ interface
! Hook to objects that describe flows and hosts.
! Access to live monitoring data.
◦ ntop
! General functions used to interact with ntopng configuration.
• Lua objects are usually in “read-only” mode
◦ C++ sets their data, Lua reads data (e.g. host.name).
◦ Some Lua methods (e.g. interface.restoreHost()) can
however modify the information stored in the engine.

39
© 2017 - ntop.org
ntopng as a NetFlow/sFlow Collector [1/3]
• The “old” ntop included a NetFlow/sFlow
collector. Considered the effort required to
support all the various NetFlow dialects (e.g.
Cisco ASA flows are not “really” flows), in ntopng
we have made a different design choice.

40
© 2017 - ntop.org
ntopng as a NetFlow/sFlow Collector [2/3]
• nProbe (a home-grown NetFlow/sFlow collector/
probe) is responsible for collecting/generating
flows and convert them to JSON so that ntopng
can understand it.
• The communication ntopng <-> nProbe is over
ØMQ a simple/fast messaging system that allows
the two peers to be decoupled while:
◦ Avoiding “fat” communication protocols such as HTTP.
◦ Relying on a system that works per message (no per
packet) and handles automatic reconnection if necessary.
41
© 2017 - ntop.org
ntopng as a NetFlow/sFlow Collector [3/3]
Flows are sent in the following format
(gzip+encryption)
• {“8”:"192.12.193.11","12":"192.168.1.92","15":"0.0.0.0","10":0,"14":0,"2":5,"1":406,"22":
1412183096,"21":1412183096,"7":3000,"11":55174,"6":27,"4":6,"5":0,"16":2597,"17":0,"9":
0,"13":0,"42":4}
• Where:

◦ “<Element ID>”: <value> (example 8 = IPV4_SRC_ADDR)

• Contrary to what happens in NetFlow/sFlow ntopng

(collector) connects to nProbe (probe) and fetches the
emitted flows. Multiple collectors can connect to the
same probe. No traffic is created when no collector is
attached to the probe.
42
© 2017 - ntop.org
 Flow Collection Setup: an Example
Flow collection/generation (nProbe)
•Probe mode

nprobe --zmq "tcp://*:5556" -i eth1 -n
none
•sFlow/NetFlow collector mode

nprobe --zmq "tcp://*:5556" -i none -n
none --collector-port 2055

Data Collector (ntopng)

•ntopng -i tcp://127.0.0.1:5556

43
© 2017 - ntop.org
 Flow Collection: Pull vs Poll Mode
• Poll Mode
◦ host X> ntopng -i "tcp://Y:1234" --zmq-encrypt-pwd
myencryptionkey
◦ host Y> nprobe -n none --zmq "tcp://*:1234" --zmq-
encrypt-pwd myencryptionkey

• Push Mode
◦ host X> ntopng -i "tcp://Y:1234" --zmq-collector-mode --
zmq-encrypt-pwd myencryptionkey
◦ host Y> nprobe -n none --zmq "tcp://*:1234" --zmq-probe-
mode --zmq-encrypt-pwd myencryptionkey
44
© 2017 - ntop.org
 SNMP and Flow Collection [1/4]
• ntopng allows SNMP MIBs to be queried (MIB-II
and Bridge MIB)

45
© 2017 - ntop.org
 SNMP and Flow Collection [2/4]
• Both NetFlow and sFlow can be glued to SNMP
through the InterfaceId
• All necessary is to do, is to define in the SNMP
menu the IP address and community of the
SNMP-enabled devices

46
© 2017 - ntop.org
 SNMP and Flow Collection [3/4]
• ntopng for each flow exporter device is able to
detect if there is a corresponding SNMP device
configured and glue them up.

47
© 2017 - ntop.org
 SNMP and Flow Collection [4/4]
• With sFlow there is no need to have SNMP
enabled as ntopng is able to collect counter
values via ZMQ.
• With NetFlow counters are created accumulating
interface values Flow/SNMP Ratio

48
© 2017 - ntop.org
 Creating ntopng Clusters [1/3]
• ntopng is not only a flow collector, but it can
export flows in the same JSON format used in
the received flows.
• This allows complex clusters to be created:

49
© 2017 - ntop.org
 Creating ntopng Clusters [2/3]
• In many companies, there are many satellite offices
and a few central aggregation points.
• Using ØMQ (both ntopng and nProbe flows are in
the same format) it is possible to create a hierarchy
of instances.
• Each node aggregates the traffic

for the instances “below” it, so

that at each tree layer you have

a summarised view of the

network activities.
50
© 2017 - ntop.org
 Creating ntopng Clusters [3/3]
Example


• Start the remote nProbe instances as follows

• [host1] nprobe --zmq “tcp://*:5556″ -i ethX
• [host2] nprobe --zmq “tcp://*:5556″ -i ethX
• [host3] nprobe --zmq “tcp://*:5556″ -i ethX
• [host4] nprobe --zmq “tcp://*:5556″ -i ethX

• If you want to merge all nProbe traffic into a single ntopng interface do:
• ntopng -i tcp://host1:5556,tcp://host2:5556,tcp://
host3:5556,tcp://host4:5556

• If you want to keep each nProbe traffic into a separate ntopng interface do:
• ntopng -i tcp://host1:5556 -i tcp://host2:5556 -i tcp://
host3:5556 -i tcp://host4:5556

51
© 2017 - ntop.org
 Managing Alerts [1/2]
• In many situations it is fundamental to set alerts
that can signal anomalous conditions
• ntopng handles host/interface/network alerts
hooked to multiple metrics
• Metrics include bytes/packets received/generated
• User-submitted alerts are continuously
monitored in the background

52
© 2017 - ntop.org
Managing Alerts [2/2]

53
© 2017 - ntop.org
Sending ntopng Alerts to Nagios [1/2]
• Nagios is the de-facto standard in infrastructure
monitoring
• ntopng features alert propagation to Nagios

54
© 2017 - ntop.org
Sending ntopng Alerts to Nagios [2/2]
• Alerts are sent to Nagios via NSCA
• Nagios will intercept all alerts that are explicitly
declared as passive services
• Passive service description format is:
• NtopngAlert_<host/network/interface>_<timespan>_<metric>

55
© 2017 - ntop.org
 Historical Flow Navigation [1/2]
• ntopng can send (-F) network flows to MySQL
• a built-in database explorer retrieves such flows
and allows them to be navigated and searched

56
© 2017 - ntop.org
Historical Flow Navigation [2/2]

Bulk download and full

pcap extraction options

57
© 2017 - ntop.org
 Historical Talkers [1/2]
• Top Talkers can be automatically extracted from
flows
• Every top talker can be clicked to inspect its
peers
• Every peer can be clicked to inspect L7
application protocols

58
© 2017 - ntop.org
Historical Talkers [2/2]

59
© 2017 - ntop.org
 Historical Applications [1/2]
• Top Applications can be automatically extracted
from flows as well
• Every top application can be clicked to inspect
hosts that have used it
• Every host can be clicked to inspect peers that
have used a given application to communicate
with the host

60
© 2017 - ntop.org
Historical Applications [2/2]

61
© 2017 - ntop.org
 ntopng and Big Data
• Using SQLite to save flows persistently is good
when flows are not too many and the system that
runs ntopng has storage.
• For large deployments or disk-less systems (e.g.
ARM-based PCs) it is desirable to upload flows on
remote, cloud-based, systems able to scale with the
number of flows.
• In essence ntopng has been opened to what is
currently defined as “big data” systems that can
scale with data in volume and speed.
62
© 2017 - ntop.org
Integrating ntopng with ElasticSearch [1/2]
• An emerging Big Data system is ElasticSearch that is
used by a large community because of its flexibility
and user interface (Kibana) that allow visual
applications to be developed in minutes.
• Although we do not want to bind ntopng only with
ES, we believe that its integration is a good starting
point for:
! Opening ntopng to the Big Data world.
! Allowing people to use ntopng as data source and let them use
ES for long-term data storage and develop custom dashboards
using Kibana.

63
© 2017 - ntop.org
Integrating ntopng with ElasticSearch [2/2]
• ntopng dumps exported flows in JSON format onto
a Redis queue enriched with some specified ES
attributes (e.g. @timestamp that specifies the time
such flow has been exported).
• As soon as there is a minimum number of flows in
queue, a ntopng thread packs them together and
sends them to ES using the ES bulk API.
• ES indexes the received flows and make them
available to external applications such as the Kibana
dashboard.
64
© 2017 - ntop.org
ntopng Process Dashboard in Kibana [1/2]

65
© 2017 - ntop.org
ntopng Process Dashboard in Kibana [2/2]
• The GUI refreshes automatically

as new data arrive and users

can drill down data or visualise

raw flows.

66
© 2017 - ntop.org
 What’s Next on Big Data and ntopng
• We believe that the big data world is still very liquid
and it is not clear what the emerging technology
will be.
• We believe ntopng should be just a data source
without being tightly integrated with any external
tool (ntopng speaks JSON and HTTP so we can
cover most of them pretty easily).
• We are experimenting with other big data
technologies (e.g. druid.io) and we plan to open it to
all the emerging technologies available.
67
© 2017 - ntop.org
 ntopng on Virtual Environments
• ntopng has been packaged for major Linux
distributions such as Debian/Ubuntu, CentOS/
RedHat and also FreeBSD and OSX (brew):
installation couldn’t be simpler.
• However the current trend is going towards
virtualised environments (not just VMs such as
VMware) and IaaS (Infrastructure as a Service) and
thus we need to support them.

68
© 2017 - ntop.org
 ntopng on Docker [1/5]
• In essence there are two types of virtualisation:
◦ Virtual Machine: emulation of a particular computer system,
including its devices (network, storage, USB etc).
◦ Operating-system level virtualisation: run multiple isolated
user-space instances (often called containers) that look like
a real server.

• Docker is an open-source software that automates

the deployment of applications inside software
containers. Each container runs within a single Linux
instance without the overhead of starting VMs.
69
© 2017 - ntop.org
 ntopng on Docker [2/5]

Long-term Reports

Sniff on all containers

70
© 2017 - ntop.org
 ntopng on Docker [3/5]
• A ntopng container allows you to run ntopng on
a clean and isolated environment.
• Building a dock

can be done in a

few clicks on

hub.docker.com


71
© 2017 - ntop.org
 ntopng on Docker [4/5]
• Install docker (http://docs.docker.com/installation/ubuntulinux/)
$ sudo apt-get update
$ sudo apt-get install docker.io
$ sudo ln -sf /usr/bin/docker.io /usr/local/bin/docker
$ sudo sed -i '$acomplete -F _docker docker' /etc/bash_completion.d/docker.io
$ source /etc/bash_completion.d/docker.io
$ sudo sh -c "echo deb https://get.docker.com/ubuntu docker main > /etc/apt/sources.list.d/docker.list"
$ sudo apt-get update
$ sudo apt-get install lxc-docker

• Go do docker.com and search for ntopng

72
© 2017 - ntop.org
 ntopng on Docker [5/5]
• Pull the ntopng container
root@ubuntu:/home/deri# docker pull lucaderi/ntopng-docker
Pulling repository lucaderi/ntopng-docker
8077c18a90a8: Download complete
511136ea3c5a: Download complete
d497ad3926c8: Download complete
ccb62158e970: Download complete
e791be0477f2: Download complete
…
e072f31bb2a5: Download complete
9e52f4c92f80: Download complete
ecc46895937f: Download complete
3a3f2545e225: Download complete
4f1229fadea7: Download complete
5b5364929cbf: Download complete
Status: Downloaded newer image for lucaderi/ntopng-docker:latest

• Run ntopng on a container

root@ubuntu:/home/deri# docker run --net=host --name ntopng -t -i lucaderi/ntopng-docker ntopng -v
….
02/Nov/2014 12:55:20 [main.cpp:183] PID stored in file /var/tmp/ntopng.pid
02/Nov/2014 12:55:20 [HTTPserver.cpp:374] HTTPS Disabled: missing SSL certificate /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
02/Nov/2014 12:55:20 [HTTPserver.cpp:376] Please read https://svn.ntop.org/svn/ntop/trunk/ntopng/README.SSL if you want to enable SSL.
02/Nov/2014 12:55:20 [HTTPserver.cpp:420] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
02/Nov/2014 12:55:20 [HTTPserver.cpp:423] HTTP server listening on port 3000
02/Nov/2014 12:55:20 [main.cpp:231] Working directory: /var/tmp/ntopng
02/Nov/2014 12:55:20 [main.cpp:233] Scripts/HTML pages directory: /usr/share/ntopng
02/Nov/2014 12:55:20 [Ntop.cpp:218] Welcome to ntopng x86_64 v.1.2.2 (r8539) - (C) 1998-14 ntop.org

73
© 2017 - ntop.org
 ntopng on OpenStack [1/8]
• OpenStack is a technology that allows to

deploy and control resources on a data

center (VMs, storage, networking).
• Our interest in OpenStack is manyfold:
◦ Create an OpenStack VM image for enabling people to
easily deploy ntop monitoring apps on datacenter.
◦ Exploit ntop’s PF_RING open-source packet processing
technology for bringing packets in 0-copy at 10 Gbit on
a VM managed by OpenStack. This is to enable efficient
traffic monitoring on a data center.

74
© 2017 - ntop.org
 ntopng on OpenStack [2/8]
• In OpenStack,VMs are KVM-based and are
managed though the OpenStack controller.

75
© 2017 - ntop.org
 ntopng on OpenStack [3/8]
• Through OpenStack we want to be able to deploy
VMs with ntopng and attach them to virtual
controllers (Open vSwitch) or 0-copy PF_RING
ZC-based packet sources.
• With ZC, packets are captured in 0-copy from
network adapters and deployed in 0-copy to VMs.
• ZC packets are deployed on the VM using virtual
adapters attached dynamically to the VM though a
ntop-developed kernel module based on PCI
hotplug.
76
© 2017 - ntop.org
 ntopng on OpenStack [4/8]
Host
qemu qemu

VM 1 VM 2

User Space

User Space
ntopng zcount_ipc
Kernel

Kernel
uio_ivshmem uio_ivshmem

/tmp/qmq1 /tmp/qmq0

zsend zbalance_ipc

zc:eth1

(Host) $ ./zbalance_ipc -i zc:eth1 -c 99 -n 2 -m 0 -Q /tmp/qmp0,/tmp/qmp1

(Host) $ ./zsend -c 99 -Q /tmp/qmp0

(VM 1) $ ./ntopng -i zc:99@0 …

(VM 2) $ ./zcount_ipc -i 1 -c 99 -u

77
© 2017 - ntop.org
ntopng on OpenStack [5/8]
Optional Packet
Transmission
in 0-copy

App A App B

(e.g. IPS) (e.g. n2disk)
Packet

App C
Dispatcher PF_RING PF_RING
ZC ZC
PF_RING PF_RING
ZC KVM KVM ZC

Core 0 Core 1 Core 2 Core 3

1/10G 1/10G
78
© 2017 - ntop.org
ntopng on OpenStack [6/8]

NOTE: OpenStack image available from the ntop web site

79
© 2017 - ntop.org
ntopng on OpenStack [7/8]

80
© 2017 - ntop.org
ntopng on OpenStack [8/8]

81
© 2017 - ntop.org
Network Security Using ntopng

82
© 2017 - ntop.org
 Understanding Host Behaviour [1/2]
• Security attacks can originate from both local and
remote hosts.
• It is important to characterise host behaviour in
order to detect invalid traffic patterns and thus react.
• Typical misbehaved hosts include:
◦ Multiple (low bandwidth) egress connections.
◦ Connections with hosts on countries unlikely to be
contacted.
◦ Use of unfriendly protocols such as SSL connections with
self-signed certificates.

83
© 2017 - ntop.org
 Understanding Host Behaviour [2/2]
• Host behaviour is the result of the combination
of flow traffic analysis.

84
© 2017 - ntop.org
 IPv6 Address Assignment
• IPv6 hosts can configure themselves automatically
using the Neighbour Discovery Protocol in
ICMPv6 discovery messages.
• To find out unwanted advertisers do:
ICMPV6

85
© 2017 - ntop.org
Detecting Command & Control [1/2]
• In case an internal (external accesses are mediated by
firewall devices and thus are more difficult) host is
infected, such host can run an Internet robot (a.k.a.
bot) for running automatic tasks over the Internet.
• Malicious use of bots is the coordination and
operation of an automated attack on networked
computers.
• A typical bot behaviour consists of opening (a)
several (b) low-bandwidth (c) client connection over
unknown layer-7 protocols to instruct remote bots.

86
© 2017 - ntop.org
 Detecting Command & Control [2/2]

Unknown Same Port Little Traffic

Different Targets
Protocol

Low
Bandwidth

87
© 2017 - ntop.org
 DNS and Infections [1/5]
• The analysis of DNS traffic can be used as a
looking glass for spotting infections.
• DGAs (Domain Generation Algorithm) are used i
various families of malware to generate rendezvous
points for command & control (see previous slide).
• In literature, the first malware using DGAs was
Kraken (2008).
• Crypto-locker apps often use DGAs for this
purpose.

88
© 2017 - ntop.org
 DNS and Infections [2/5]
• Usually DGAs take as input a seed that is used to
generate many pseudo-random domain names.
• The malware keep generating domain names up
until there is one registered that is used to
connect to the “malware network”.
• ntopng can analyse DNS traffic and spot these
problems. Note that when we see DNS traffic for
DGAs we might have been victim of an attack.

89
© 2017 - ntop.org
 DNS and Infections [3/5]
Examples of DGAs def generate_domain(year, month, day):
"""Generates a domain name for the given date."""
domain = ""

<IP resolver> <GEO Resolver> <DNS Request> for i in range(16):

year = ((year ^ 8 * year) >> 11) ^ ((year & 0xFFFFFFF0) << 17)
a.b.c.d IT Turin afupelalikovacah.com.mydomain.it month = ((month ^ 4 * month) >> 25) ^ 16 * (month & 0xFFFFFFF8)
a.b.c.d IT Turin epolowypuvugijys.com.mydomain.it day = ((day ^ (day << 13)) >> 19) ^ ((day & 0xFFFFFFFE) << 12)
a.b.c.d IT Turin uzowawibehezojil.com.mydomain.it domain += chr(((year ^ month ^ day) % 25) + 97)

a.b.c.d IT Turin yfohizihifozoral.com.mydomain.it return domain

a.b.c.d IT Turin epolowypuvugijys.com.mydomain.it
a.b.c.d IT Turin uzowawibehezojil.com.mydomain.it
a.b.c.d IT Turin yfohizihifozoral.com.mydomain.it
a.b.c.d IT Turin ibpirauljhskybqlfdqnvtpz.ru.mydomain.it
a.b.c.d IT Turin krmfbypgavgoxklrscbmvolq.ru.mydomain.it
a.b.c.d IT Turin tkvnjzxlrjnwgeavcnflfsohgkb.ru.mydomain.it
a.b.c.d IT Turin qusspxmese.mydomain.it
a.b.c.d IT Turin sxievblqv.mydomain.it
a.b.c.d IT Turin amsssmy.mydomain.it
a.b.c.d IT Turin qkbmzxwcshedyprksckrukbnfz.ru.mydomain.it
a.b.c.d IT Turin riolnodfogydy.mydomain.it
a.b.c.d IT Turin ufqqzkphnpx.mydomain.it
a.b.c.d IT Turin oxctpbjzfvf.mydomain.it

90
© 2017 - ntop.org
 DNS and Infections [4/5]
• The best approach is start analysing DNS traffic
Select DNS Queries

91
© 2017 - ntop.org
 DNS and Infections [5/5]
Select DNS

Drill-down on
a specific host

Analyse Replies

92
© 2017 - ntop.org
MAC/ARP Monitoring and Scanning [1/2]
• ARP (Address Resolution Protocol) is not used
just to bind MAC addresses to IPs, but also for
monitoring device presence (e.g. in DHCP
networks).
• However it can also be used for scanning
networks (e.g. with nmap, fing and other tools).

93
© 2017 - ntop.org
MAC/ARP Monitoring and Scanning [1/2]
ARP Stats

Hosts Monitoring

94
© 2017 - ntop.org
Detecting TCP Flags-based Attacks [1/2]
• TCP flags distribution can indicate source of
problems as in theory you should have a 1:1 ratio
for:
◦ SYN vs SYN|ACK
◦ ICMP ECHO Request vs ECHO Reply
◦ ARP Request vs ARP Reply
• TCP FIN vs RST distribution analysis is an
interesting parameter for detecting scans.
• ntopng keeps these statistics and it allows alerts to
be generated based on these values.
95
© 2017 - ntop.org
Detecting TCP Flags-based Attacks [2/2]

96
© 2017 - ntop.org
 Detecting Scans
• ntopng has native detection of scans that can be
used to detect them regardless of their nature
such as SYN scan and Slowloris (low goodput).

97
© 2017 - ntop.org
 ICMP Traffic Monitoring [1/2]
• ICMP messages are useful for detecting traffic
anomalies:
◦ ICMP Redirect: MITM, asymmetric path
◦ Destination unreachable: network scan?
◦ Port unreachable: service scan or a service previously
up is now down?
• ntopng is able to monitor ICMP messages and to
report issues via alarms it generates on hosts and
interfaces.

98
© 2017 - ntop.org
ICMP Traffic Monitoring [2/2]

99
© 2017 - ntop.org
 Traffic Geolocation [1/2]
• Traffic geolocation is useful for enforcing security
rules. Examples:
◦ A child iPad is not supposed to access remote countries
outside its domain of knowledge
◦ A video-surveillance camera can be accessed only by
specific ASs/Countries

• ntopng has the ability to geolocate traffic and

emit alerts based on continents (i.e. alert if my
PC is accessed from Asia or Oceania)
100
© 2017 - ntop.org
Traffic Geolocation [2/2]

101
© 2017 - ntop.org
Monitoring Copyrighted Content [1/4]

102

© 2017 - ntop.org
Monitoring Copyrighted Content [2/4]
• ntopng has the ability to detect L7 protocols by
means of nDPI and thus to detect for instance
BitTorrent traffic

103
© 2017 - ntop.org
Monitoring Copyrighted Content [3/4]

104
© 2017 - ntop.org
Monitoring Copyrighted Content [4/4]

NOTE: This information can be logged onto the database for historical activity tracking.

105
© 2017 - ntop.org
 Unknown vs Unknown
• Unknown traffic does not always mean nDPI
needs to be extended to detect a new protocol.
• It can also indicate that there are activities that
are worth to be analysed more in detail.

106
© 2017 - ntop.org
 One-way Traffic
• One way traffic can be a good source of
information for understanding suspicious
activities based on destination and protocol:
◦ Multicast traffic can be exploited for disclosing sensitive
information (e.g. SSDP, MDNS)
◦ TCP traffic is by nature bi-directional, so one-way TCP
flow might indicate activities such as probing or service
unavailability.
• The flows menu can display one-way flows and
spot these situations.
107
© 2017 - ntop.org
 Suspicious Activities Detection
• nDPI can detect over 200 protocols including
those that are considered potentially malicious.
• The list includes protocols such as Tor or even
long-term acceptable protocols such as SSH or
SSL that in certain scenarios can hide something
more dangerous such as a VPN.
• Selecting specific protocols (e.g. TOR) in the flow
list and sorting them for duration, can enable this
analysis.

108
© 2017 - ntop.org
Characterising Host Risk Factor [1/2]
• Every host can have a security risk associated,
depending on the type and nature of traffic it
performs.
• nDPI has the ability to cluster layer-7 protocols in
families and thus characterise them up.

109
© 2017 - ntop.org
Characterising Host Risk Factor [2/2]
• However risks are coming not just from traffic
that a host makes, but also from ingress traffic.
• As previously said with one-way traffic, this is a
good source of understanding the security risk
factor a host has associated.

What do we need

Ingress but no egress traffic: service scan?
to hide here? 110
© 2017 - ntop.org
 Malware Detection [1/3]
• IDSs have been traditionally used to detect security
threats but as traffic is becoming more and more
encrypted they are falling short.
• A simple way to effectively monitor malware, is by
means of IP blacklists.
• You can configure ntopng to do nightly download of
malware hosts and enforce them in ntopng.
• If you use ntopng in monitor mode an alert is
reported, in inline-mode instead the communication
against such hosts are disabled.
111
© 2017 - ntop.org
 Malware Detection [2/3]
• Step 1: Enable Malware hosts detection in
preferences.

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

• Step 2: See the generated alerts for an overview

of malware activities.
112
© 2017 - ntop.org
Malware Detection [3/3]

113
© 2017 - ntop.org
 Characterising User Traffic [1/5]
• Network administrators should not look at user
traffic content as this falls outside of their tasks.
• However detecting (and blocking/shaping/setting a
quota) specific protocols not suitable for business
usage (e.g. Netflix) can be acceptable.
• Cloud-based services such as Google Drive or
DropBox can be prohibited in certain environments
so network administrators need a way to know
what users are doing (not the data content they are
exchanging).
114
© 2017 - ntop.org
 Characterising User Traffic [2/5]
• While nDPI is enough for known what hosts are
using what protocols…

• …inappropriate content (e.g. in schools or public

places) cannot be enforced this way as the protocol
is generic (e.g. HTTP) but the content is not.

115
© 2017 - ntop.org
 Characterising User Traffic [3/5]

• ntopng has been integrated with a content analysis company

to complement layer-7 traffic analysis with content enforcement.
• Go to http://flashstart.ntop.org to get your categorisation key.

116
© 2017 - ntop.org
Characterising User Traffic [4/5]

117
© 2017 - ntop.org
Characterising User Traffic [5/5]

118
© 2017 - ntop.org
Alarms On The Go

119
© 2017 - ntop.org
Staying in Touch

120
© 2017 - ntop.org
 Conclusions
• Traffic flow analysis and extraction of metadata
information are the cornerstones of network
security analysis.
• ntopng is able to provide insights not just for traffic
monitoring but also from the security viewpoint.
• The nDPI engine allows traffic to be properly
classified and bound to applications.
• Traffic categorization allows traffic patterns to be
built not just for tagging traffic but also for malware
analysis.
121
© 2017 - ntop.org
 Final Remarks
• Over the past 16 years ntop created a software
framework for efficiently monitoring traffic.
• “We have a story to tell you, not just hacks”.
• Commodity hardware, with adequate software,
can now match the performance and flexibility
that markets require. With the freedom of open
source.
• ntopng is available under GNU GPLv3 from

http://www.ntop.org/.

122
© 2017 - ntop.org