3. Choosing a Method of Traffic Monitoring and DDoS Detection

This chapter describes the traffic monitoring technologies supported by Wanguard Sensor. There are four Wanguard Sensor “flavors”, each having a different way of obtaining traffic information:

Packet Sensor analyzes packets. It can be used on appliances that are either deployed in-line (servers, firewalls, routers, bridges, IDSes, load-balancers) or connected to a mirrored port or TAP.

In switched networks, only the packets for a specific device reach the device’s network card. If the server running a Packet Sensor is not deployed in-line, in the main data path, then a network TAP or a switch or router that offers a “monitoring port” or “mirroring port” must be used. In this case, the network device sends copies of data packets traveling through selected ports or VLANs to the monitoring port. Packet Sensor inspects every packet it receives and conducts packet-based traffic analysis.

Flow Sensor analyzes flows. It is used for monitoring NetFlow® (jFlow, NetStream, cflowd), sFlow® and IPFIX flow packets.

Many routers and switches can collect IP traffic statistics and periodically send them as flow records to a Flow Sensor. Because the flow protocol already performs pre-aggregation of traffic data, the flow data sent to Flow Sensor is much smaller than the monitored traffic, and this makes Flow Sensor a good option for monitoring remote or high-traffic networks. The main downside of flow-based traffic analysis is that pre-aggregating traffic data adds a delay of at least 30 seconds to collecting real-time traffic statistics

SNMP Sensor monitors the bandwidth usage of routers and switches on a port-by-port basis.

When this technology is used, an SNMP Sensor queries the device (e.g. router, switch, server) for the traffic counters of each port with small data packets. These are triggering reply packets from the device. Compared to other bandwidth monitoring technologies, the SNMP option is very basic and offers no IP-specific information. SNMP creates the least CPU and network load

Sensor Cluster aggregates pre-existing Sensor traffic data into a single, unified, anomaly detection and/or IP graphing domain.

Sensor Cluster sums up the traffic data collected by Packet Sensors, Flow Sensor and SNMP Sensor interfaces and performs the same tasks as the other Sensors (IP graphing, IP accounting, anomaly detection, etc.)

For redundancy, high availability and to be able to view packet dumps and flow data, you can deploy Flow Sensor(s) and Packet Sensor(s) simultaneously.

3.1. Comparison between Packet Sniffing, Flow Monitoring, and SNMP Polling

Packet Sensor is recommended when the speed of detecting attacks is critical, or when there is a need for capturing raw packets for forensics and troubleshooting. Because every packet entering the network is inspected, Packet Sensor needs to run on servers with powerful CPUs.

Flow Sensor analyzes pre-aggregated traffic information sent by routers and switches, so it can monitor traffic passing through multiple 10/40/100 GbE interfaces even when it runs on a low-end server. By comparison, Flow Sensor has some disadvantages:

✘ It exhibits reduced speed in processing real-time traffic information. Flow exporters aggregate traffic data over time, making the traffic visible only after a delay (flow aging) that usually exceeds 30 seconds
✘ It provides slightly less accurate traffic readings because in most cases the packets or flows are sampled
✘ Enabling the flow exporter functionality may result in an increased CPU load on the network device when the flow collection is not performed in hardware
✘ Flows can be dropped if a powerful spoofed DDoS attack fills the TCAM of the network device

SNMP Sensor is useful to monitor devices that cannot export flows or mirror packets, or to compare flow and SNMP-derived statistics in order to ensure the flow data’s accuracy.

Packet Sensor

Flow Sensor

SNMP Sensor

Traffic Monitoring Technology

  • Sniffing packets passing an in-line appliance

  • Port mirroring (SPAN, Roving Analysis Port)

  • Network TAP

  • NetFlow version 5, 7 and 9 (jFlow, NetStream, cflowd)

  • sFlow version 4 and 5

  • IPFIX

  • SNMP version 1

  • SNMP version 2c

  • SNMP version 3

Maximum Traffic Capacity per Sensor *

100 GigE

multiples of 100 Gbps

multiples of 100 Gbps

DDoS Detection Time **

≤ 1 seconds

≥ flow aging time (≥ 30 seconds usually) + 5 seconds

≥5 seconds

IP Graph Granularity

≥ 5 seconds

≥ 20 seconds

N/A (SNMP offers no details about IPs)

Traffic Validation Options

IP classes, MAC addresses, VLANs, BPF

IP classes, Interfaces, AS Numbers, Ingress/Egress

Interfaces

Packet Dumps

Yes

No

No

Flow Collector

No

Yes

No
* The number of connections between IPs is not a limiting factor
** Wanguard Sensor detects the IPs under attack. Wanguard Filter detects the sources of each attack