《计算机网络管理第四章网络测量和监控.ppt》由会员分享,可在线阅读,更多相关《计算机网络管理第四章网络测量和监控.ppt(103页珍藏版)》请在三一办公上搜索。
1、1,计算机网络管理主讲教师:王继龙清华大学信息网络工程研究中心,2,第四章网络测量和监控,第一节 网络测量技术综述第二节 网络测量技术专题第三节 网络测量系统举例,3,第二节网络测量技术专题,拓扑和路由测量故障测量性能测量安全测量,4,ISNT THIS GREAT?,业主监视网络状况学生监视老师行踪我能看到你在做什么,5,专题一、拓扑和路由测量,6,拓扑测量搜索网络中的互连设备,并确定连接关系,7,主动式测量基本原理,Permanent Set,Temporary Set,Heuristic,获得线索,Permanent Set,DNS ls、netstat、tracert,9,Measur
2、e,Permanent Set,Ping、B_Ping、snmp、tracert、telnet,Temporary Set,10,启发新线索,Permanent Set,Random Probe、TraceRT、B_ping、routeTable、ARP_Table,一些说明,很多网络不支持Ping的广播很多网络限制对SNMP的访问物理拓扑/逻辑拓扑,12,被动式测量,路由协议监听OSPFBGP,13,路由测量,加州大学berkeley分校用traceroute收集和分析分布在全球37个测量点之间链路的路由行为信息Oregon大学通过在特定路由器上运行的BGP协议收集某些自治域间的路由行为信息
3、 目前,研究仅限于路由行为数据的收集、聚合和简化,对收集到的数据只作定性分析,14,网络距离,问题:我想访问离我最近的服务器应用WEB Server镜像站点的选择Peer-to-Peer端节点的选择,15,专题二、故障测量和监控,16,故障分布,Chris Morino,Resonate,17,故障诊断的基本步骤,收集可供使用的信息,分析故障症状将问题隔离在单一网段、单一独立功能或模块、或单一用户内将问题隔离在本单元中特定硬件或软件内,或者用户帐号问题定位与修复验证问题是否已经得到解决绝不要轻易相信用户,他们可能被假象迷惑,要亲自验证一切。,18,问题一:不能访问服务,应急处理冷启动PC验证P
4、C是否硬件错误验证网络电缆连接验证所有网络驱动程序正确装载验证PC机、服务器近期没有引起问题的更改。,专业处理验证故障点是否有可成功访问的网络检查局域网性能HUB 状态电缆连接网络统计跟踪碰撞验证网桥或路由器,19,问题二:连接中断,应急处理冷启动PC验证PC是否硬件错误以及网络连接验证网络驱动程序正确装载验证PC机引起问题的更改排除PC机内存中其他驻留程序问题,专业处理网络统计检查是否有高利用率和高碰撞率测试HUB端口测试网卡驱动测试级联的HUB测试路由测试大小数据包丢包,20,问题三:速度缓慢,确定问题性质网络媒介问题特定站点、服务器问题媒介问题利用率和碰撞率检查FCS错误帧碰撞突发性端接
5、不正确阻抗不连续损坏的网卡,软件问题确定流量大的站点故障点使用的应用和服务混合协议测试占用带宽的无关协议测试广播流量测试VLAN、路由设备的隔离情况硬件问题了解出问题的MACPing测试丢包互联设备满负荷线缆串绕,21,网络噪声,外部干扰电扇空调加热器复印机荧光灯电梯电机,电源问题损坏的电缆或接头电缆过长接地问题,22,TCP/IP网络问题预防,IP地址管理决不能有重复地址建立完善的分配和回收制度杜绝非法使用建议使用DHCP、MAC认证和VLAN主机设置文档备份控制变更过程,23,TCP/IP不能连接的故障,应急处理冷启动确认无硬件故障确认电缆连接确认网卡驱动正确安装确认近期对该主机调整确认M
6、AC无误,专业测试IP设置问题协议封装问题是否普遍问题是否物理问题ARP响应路由器与下一级的连接DNS问题路由问题服务器设置问题,24,TCP/IP间歇连接中断,应急处理同前专业处理数据包丢失Ping测试同网段主机扫描路由漂移,25,速度缓慢或者性能不良,性能指标流量延时路由协议的选择RIP、IGRP、OSPF路由跟踪网络瓶颈网络拓扑拥塞链路,低速路由器兼职路由器过载拥挤路由低速主机主机处理能力接口卡和驱动性能服务器过载网络应用方式,26,健康以太网络的指标,平均网络利用率不超过40平均碰撞率不超过5错误(过长帧、过短帧、帧校验错误、延时碰撞)不应该出现广播流量小于5,27,ping,ping
7、 IP/name-t-a-n count-l size t:不停地向目标主机发送数据a:显示目标主机的域名 n count:指定要Ping多少次,具体次数由count来指定l size:指定发送到目标主机的数据包的大小f:IP包中设置DF标志(强制无分段)i ttl:设置ttlv TOS:设置Type of Servicer count:记录路由s count:记录时间戳J host-list:非强制源路由k host-list:强制源路由W timeout:最大等待时间,28,TraceRT,tracert IP/域名-d-h maximumhops-j host_list-w timeou
8、td:不解析目标主机的名字h maximum_hops:指定搜索到目标地址的最大跳数j host_list:源路由,29,netstat,netstat-r-s-n-a r 显示本机路由表的内容;s 显示每个协议的使用状态(包括TCP协议、UDP协议、IP协议);n 以数字表格形式显示地址和端口;a 显示所有主机的端口号,30,Winipcfg/ipconfig,ipconfig/all/release adaptor/renew adaptor/flushdns/registerdns/displaydns/showclassid/setclassid,31,IP 分组的结构,0 4 8 1
9、6 19 24 31,32,IP 分组头,服务类型(TOS Type Of Service),33,IP 选项,分组头中 IP 选项字段是任选的IP 选项主要用于网络控制和测试源选路(source route)选项路由记录(record route)选项时间戳(time stamp)选项 IP 选项需要由通路上的每一个路由器来处理实际应用中,IP 选项很少使用,34,专题三、性能测量和监控,35,Overview,确定测量项目和指标确定测量点和参考点选定工具/收集数据分析,36,性能测量?,TRAFFIC FOR DESTINATIONS:INSIDE&OUTSIDETOP-TALKERS:I
10、NSIDE&OUTSIDEApplication oriented workloadSLAsResponsivenessAvailabilityReliabilityThroughputCPU and Memory utilizationEnd-to-end Response Time for frequently used transactionsNumber of concurrent usersNetwork collisions,error ratesQueue depths,37,参照点选择,参照点:性能测量不可能针对所有的网络实体,而只能针对其中“有代表性”的一部分,我们称这一部分
11、实体为参考点。测量过程通常是在监控点和参考点之间“制造”一个通信过程,通过记录这一过程来或取计算行为指标所需要的数据 可靠性:参照点出现故障或被关机或因为其它原因暂停工作,将导致在一段时间内没有任何数据(除了service unavailable),这会对整体测量结果产生极其恶劣的影响 有效性:参考点的有效性也即从参考点获取的数据的真实性 代表性:通过参照点获取的数据不应仅仅反映参照点自身的性能变化,而且要反映出一个相关实体集合的共性特点,38,测量工具的影响,同一网络环境和同一测量方式下,可以采用不同的测量工具,所得到的行为指标会存在差异两种不同测量工具(ping 和 xchkaccess)
12、对 1760 个web服务器的响应延迟的测量结果比较,结果分析:xchkaccess通信要建立tcp连结,通信开销大于icmp通信,39,Tools,ClientsApplication Response Monitor(ARM)Workstation Performance MonitorsNetworksSniffers,Network Monitoring softwareOpenview,Tivoli,CiscoWorks Active measurement toolsServers,ProxiesOS monitoring tools,40,End-to-end Available
13、 Bandwidth Measurement,Capacity:Maximum throughput without cross-trafficAvailable bandwidth:Maximum throughput given cross-traffic,Source,Destination,A1,A2,A3,A4,41,Applications,Efficiency of applicationChoose the“best”serverCongestion controlMulticast routingEtc,42,Lots of UDP probes with different
14、 sizes and TTLsEstimates latency and bandwidthrtt from(n-1)th to n-th 2*lat+ip_size/bwDynamic behavior hard as queues neglected and various other assumptionsLink-by-link measurement,Pathchar,43,44,Packet-pair(Nettimer),Send packets back-to-back and estimate the narrow link capacity from the packet d
15、ispersionOnly measures end-to-end capacity while neglecting cross-traffic,T1 T0,Size/BW,Tn+1 Tn,Tn+1-Tn=max(S/BW,T1 T0),45,MRTG,Highly portable SNMP based toolProvides only 5 min averages of link utilizationUsed by the network operators only as router SNMP community string information requiredLink-b
16、y-link measurementhttp:/people.ee.ethz.ch/oetiker/webtools/mrtg/,46,通过端口的流量推测端到端的流量,发现流量分布特征。,47,Pathload,Sends Self-Loading Periodic Streams at increasing rates till the rate is larger than the tight link available bandwidth and the relative one way delays of packets show an increasing trend.This s
17、cheme is highly intrusive even though the scheme measures the available bandwidth of the tight linkEnd-to-end available bandwidth measurement,48,Measurement tool:PingER,PingER(Ping End-to-end Reporting)monitor end-to-end performance of Internet links,49,路由器流量监测,缘由线速增长速度远远高于内存访问速度不可能对每个数据包进行记录必须对流量进行
18、抽样问题的关键如何抽样?如何将少数的大流和大量的小流区分开对于网管和计费意义重大,50,Router-based Passive Measurement,51,NETRAMET,METER-MIB,NeTraMet,rulesets,meter reader(s),manager,analysisapplication,flowdata,PME,packets(pcapNetFlowLFAP),52,EXAMPLE OF A RULESET,if SourcePeerType=IPv4 if DestPeerAddress=(130.89/16)count;,53,MEASURING LIMI
19、TS,WHAT ARE THE LIMITS OF THESE MEASUREMENT TOOLS?CAN,FOR EXAMPLE,SNIFFERS HANDLE MEGABITS OF TRAFFIC?Tsinghua CAMPUS-NET20000 USERS500 Mbps PEAK,54,MEASURING LIMITS-CONCLUSIONS,CURRENT PCs CAN EASILY HANDLE 0.5 GIGABITSWITH SOPHISTICATED NETWORK CARDS SPEEDS OF SEVERAL GIGABITS SEEM POSSIBLE,55,UNI
20、X Command,SAR-System Activity Report,a sampling toolpsvmstatiostatnetstatlogfiles,56,Commercial Tools,Netflow(CISCO)ENTERASYS(CABLETRON)NetMetrics(HP OpenView)Performance Monitor(Windows NT),57,MEASURING TOOLS-CONCLUSIONS,MANY TOOLS EXISTSOME ARE COMMERCIALMANY ARE OPEN SOURCE,58,MEASUREMENT RESULTS
21、,BANDWIDTH CONSUMPTION FOR TOP USERSBANDWIDTH CONSUMPTION FOR AVERAGE USERSPOPULAR PROTOCOLSS/APPLICATIONS(Campus)POPULAR PROTOCOLS/APPLICATIONS(Backbone),59,TOP USERS,60,AVERAGE USERS,61,WHAT STUDENTS DO,62,POPULAR APPLICATIONS(Backbone),Data collected:04-03-2002/10-03-2002,63,专题4:网络安全测量,64,How muc
22、h security?,65,Common methods of attack,password guessing/crackingdenial of servicespoofing/masqueradingbuffer overrunseavesdropping(sniffing)viruses,worm,trojan horses,66,Common scenario of the attack,find a scanner for latest OS/server vulnerabilities and scan a wide range of address spaceuse avai
23、lable exploits to gain mailing listhide yourself on attacked hostprepare the system for future useinstall sniffers to collect passwordsinstall DDoS tools,67,Password attacks,dictionary attacks(UNIX Crack,L0pht Crack for Windows NT),original password,68,Distributed DoS,Trin00,Tribal Flood Network,Sta
24、cheldraht,.,handlers,agents,69,Buffer overrun,void function(char*str)char buffer16;.code.strcpy(buffer,str);.code.void main().code.function(1,2,3);.code.,stack,70,function arguments,instructions,ret.addr.,Buffer overrun,buffer overrun,input string isnt checked for lengththe most popular break-in tec
25、hniqueUNIX shell code takes only 45 bytes of instructionsCode Red exploit code:/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
26、NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a,71,72,Some Tools,SATAN、Portscan:漏洞检查SNORT:入侵检测COPS:后门检查John、password+、Crack、Npasswd:口令分析Keymon:防口令突破Winnuke.exe:测试NT bugProtocol Analyzer、sniffer
27、TCPWire:监控关键文件和目录TCPWrapper:监控inetd服务Sudo:限制超级用户的访问可用于防卫,可用于进攻,取决于使用者,73,74,攘外必先安内!,75,76,77,78,Proactive measures,install latest versions of software and apply recommended patchesstrip down default servicesrestrict access to hostsstay current with new security issuesapply OS and server patches imme
28、diatelydo regular backupsmonitor system activity and integrityimplement a firewall,connect thesystem to yournetwork,79,Strip down default services,type,name,port,7,TCP/UDP,echo,type,name,port,513,UDP,who,9,TCP/UDP,discard,13,TCP/UDP,daytime,19,TCP/UDP,chargen,21,TCP,ftp,23,TCP,telnet,37,TCP/UDP,time
29、,53,TCP/UDP,domain,69,UDP,tftp,110,TCP,pop3,113,TCP/UDP,auth,161,UDP,snmp,514,UDP,syslog,517,UDP,talk,2049,TCP/UDP,NFS,512,TCP,exec,513,TCP,login,514,TCP,shell,check/etc/inetd.conf andcomment out unwantedservices!,80,Disabling unwanted services,find all services on your systemuse scanners(nmap)and s
30、ys.tools(ps,netstat,lsof)find out whether you need a serviceis it a public or an internal service?disable unwanted services and testscan your system from an external network,81,Restrict access to hosts,restrict physical access to serversrestrict network access with filtering softwareIP chains,IP tab
31、les or IP filterrestrict access to servicesTCP Wrapper(/etc/hosts.allow,/etc/hosts.deny,works only from services started by inetd)apply filters to routers(ACLs)combine host-based protection with strong authentication(e.g.S/Key one-time passwords),82,ACL syntax(simplified),access-list number action p
32、rotocol source destination flagsnumber100-199(extended ACLs)actionpermit or denyprotocolip or icmp or udp or tcp or ospf etc.sourcehost and port specificationdestinationhost and port specification flagsestablished or log etc.Example:access-list 101 deny tcp host 192.168.200.13 192.168.100.64 0.0.0.3
33、1 eq wwwaccess-list 101 deny udp any 192.168.100.64 0.0.0.31 eq snmpaccess-list 101 permit tcp any 192.168.100.64 0.0.0.31 eq telnetaccess-list 101 permit tcp any 192.168.100.64 0.0.0.31 eq smtpaccess-list 101 deny tcp host 192.168.0.1 gt 1024 192.168.100.64 0.0.0.31 logaccess-list 101 permit ospf a
34、ny anyaccess-list 101 deny any any this is an implicit rule and is not shown!,83,Basic router filteringPrevent spoofing,Internet,drop packets that have source address different from the assigned range,access-list 150 permit 192.168.2.0 0.0.0.255 any,84,Basic router filteringGuard against IP address
35、trust exploits,drop packets with your networks source address coming from internet,Internet,access-list 160 deny 192.168.2.0 0.0.0.255 any,85,Basic router filteringDont help flooders,prevent your network being used as a DoS amplifier,Internet,no ip directed broadcast,86,Filtering traffic(1),public,p
36、rivate,web serveremail serverDNS server,internal web serveremail serverNetBIOS shared disks and printers,87,Filtering traffic(2),public,private,web serveremail serverDNS server,internal web serveremail serverNetBIOS shared disks and printers,permit tcp/80permit tcp/25permit udp/53,88,Filtering traff
37、ic(3),public,private,web serveremail serverDNS server,internal web serveremail serverNetBIOS shared disks and printers,permit tcp established,89,Filtering traffic(4),public,private,web serveremail serverDNS server,internal web serveremail serverNetBIOS shared disks and printers,permit any,90,Filteri
38、ng traffic(5),public,private,web serveremail serverDNS server,internal web serveremail serverNetBIOS shared disks and printers,permit tcp/25permit udp/53permit tcp established,91,Implement a firewall,Internet,your network,public,private,firewall,still allows transmission of informationfrom private a
39、rea into the Internet!,92,Stay informed,subscribe to mailing lists(CERT/CC advisories,BugTraq,NTBugTraq,Microsoft security advisories,)check for new exploits,93,Apply patches,advisories often offer links to vendor patchesif those are absent,consider a temporary service restriction,sites still report
40、 various well-known attacks,although patches have been available for several years,94,Monitor system activity and integrity,store logs in a safe placecheck logs for suspicious entriescompare checksums on essential binaries and configuration files(Tripwire)monitor incoming connections(Argus,ip filter
41、s)test systems with scanners(nmap,nessus),95,96,Use encryption,encrypt your remote sessions(SSH-Secure Shell)encourage use of email encryption(PGP-Pretty Good Privacy)encrypt sensitive data on servers,97,Prevention traps,there is no perfect protection,not even with firewallsout-of-the-box solutions
42、and“zero administration”dont exist,98,Reactive measures,collect the evidence;if necessary,do a full backup of compromised hostsdecide on follow-up actionsblock further attempts from intruders and sanitise compromised hostsmonitor intruders activities;preferably setup a restricted fake environmentreport the incident,99,100,101,102,103,期末考试,网络拓扑设计传输方案设计IP网络设计设备选型路由设计IP分配和网络划分配置管理方案故障监控方案性能监控方案安全监控方案计费方案组织和管理流程设计,
