From: Hank Nussbacher (hank@att.net.il)
Date: Tue Jan 09 2001 - 00:09:18 PST
At 18:55 09/01/01 +1300, Joerg Micheel wrote:
Of interest:
1. ASN to ASN matrix of data flows
2. Heuristic analysis to spot DoS or dDoS attacks based on the flow data
Regards,
Hank
>The Passive Measurement and Analysis (PMA) team of NLANR MOAT at SDSC/UCSD
>invites Internet researchers to discuss the next generation of passive
>network measurements to be carried out in the High Performance (HPC)
>backbone networks.
>
>Since 1995 the National Laboratory for Applied Network Research (NLANR)
>has been collecting IP packet header traces to support research in
>understanding the systemic nature of the Internet. The 12 sites chosen
>for capturing traffic traces are located at high-bandwidth interconnection
>points, typically access links from GigaPops to the vBNS core. The
>measurement strategy was defined as samples captured eight times a day
>for a defined length of time. Initially, this sampling interval was
>set to 2 minutes, today it is 90 seconds. The reason for the change was
>to limit the amount of data being captured per day. Today, the system
>collects between 1.5 and 3.2 Gigabytes of compressed data per day. The
>Network Analysis Infrastructure maintained by the MOAT team is designed
>as a service to the research public and allows for WWW access to all of
>the data being collected. The Datacube is an interface to search and
>browse trace data for specific metrics without having to download the
>large trace data files for detailed analysis.
>
>Initially, the data collect systems (OC3MON) were based on inexpensive
>commodity hardware (PC's with FORE ATM NICs). Experience with those
>systems has highlighted some of the shortcomings in deploying standard
>network interface cards. NLANR has been vital in supporting the development
>of dedicated passive network measurement gear. As a result, the recent
>monitors in the PMA infrastructure support high-precision timestamping,
>syncronization of both cards for bidirectional capturing, OC3c and OC12c
>links with ATM and PoS encapsulation and the capability to syncronize
>to an external clock source, such as a GPS or CDMA time receiver.
>
>At the moment, the PMA team is busy placing the remaining dozen of new
>monitors at important points of the Internet2/Abilene network. From our
>point of view, it has become crucial to understand the kinds of analysis
>that is being done with the data captured in order to develop better
>monitor placement strategies and trace schedules. With the previous set
>of monitors the placement strategy was determined to provide a good
>coverage of the overall network, so each monitor captures a unique
>portion of the overall network data. With the new set of 25 monitors
>available a more dense instrumentation of the network has become feasible.
>This means that the same traffic flow can be observed at multiple
>measurement points and the distortion of the traffic pattern can be
>studied. A correlation between the data captured at one point in the
>network with data captured at a different point should become possible.
>We are looking into providing different kinds of studies, such as long
>traces (hours, even days or weeks). We are planning to provide more
>detailed postprocessing (different sets of graphs) along with the traces
>published. At the same time, the group is seeking to reduce the amount
>of management overhead for maintaining the monitors and the data collection
>postprocessing. This implies changes to the trace schedules to somehow
>balance the amount of data collected.
>
>We are seeking your constructive discussion on the following topics:
>
> o focus of your research in the area of passive measurement analysis
>
>and consequently:
>
> o monitor placement strategies
> o trace durations and trace schedules
> o trace postprocessing and WWW publishing
> o trace scenarios (router instrumentation, cross-US,
> transatlantic, ...)
> o trace variety (LAN views, WAN access view, backbone view)
> o any other passive measurement topics that you find appropriate
>
>Your contributions should be send to the Internet Trace User Community
>mailing list at <traces@nlanr.net>. We are looking forward to your mail.
>
>For the NLANR PMA team
>
> Hans-Werner Braun, Principal Investigator, NLANR MOAT
> Joerg Micheel, PMA team leader
>
>---------------------------------------------------------------------------
>
>References
>
>NLANR MOAT: http://moat.nlanr.net/
>WWW access to traces: http://moat.nlanr.net/Traces/Traces/
>Datacube: http://moat.nlanr.net/PMA/Datacube.html
>
>Subscription
>
>As you receive this mail, you are a subscribed to the list. Please
>send additional subscription requests for this mailing list to
>Hans-Werner Braun <hwb@nlanr.net>.
>
>This article is also going to appear in the Network Analysis Times,
>Volume 2, Issue 1 (scheduled for publication by the end of January):
>
> http://moat.nlanr.net/NATimes/NAT.2.1/index.html
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 16:24:40 PDT