SlideShare une entreprise Scribd logo

Kentik Detect Engine - Network Field Day 2017

G
gvillain

Dan Ellis (CTO@Kentik) presents and discusses the technology and platform behind Kentik Detect Engine. Links to the video of the presentation: https://kentik.com/nfd14

Ingénierie
1  sur  27
Télécharger pour lire hors ligne
Kentik Data Engine Dan Ellis CTO
KDE Quick Stats (kentik detect engine) NetFlow in the Cloud • 125+ Billion Flows/Day stored • 1,000,000+ FPS • 50 “Large” Queries/s, thousands of sub-qps • 75+ TB flow data stored/day (25+ compressed) SNMP, BGP, network performance too!
KDE High-Level • KDE is a hybrid system: ○ Fusing / Ingest Layer ○ Distributed column store db / query engine ○ Realtime stream processing for anomaly detection • We evaluated various existing engines: ES, Hadoop, Cassandra, Storm, Spark, SILK, Druid, Kafka.... • Couldn’t find performance, multi-tenancy, and network savvy so we wrote our own...
Ingest & Fusion layer Storage layer (flow specific) Query layer Each layer has separate and different scaling characteristics Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ KDE architecture
Ingest architecture
KDE Architecture BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C
KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTPS) kFlow (HTTPS) proxy proxy proxy client C client C client C BGP VIP NetFlow (UDP) relay VIP + Relay • One IP bound to multiple servers • Sharded by Source-IP • Validate Sender as Kentik Customer • Pass flow on (raw UDP socket) to correct proxy • Relay handles load balancing (Kentik specific, UDP+TCP) relay
Proxy BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay kFlow (HTTP) client C client C client C kFlow (HTTP) • Inspect flow & determine type: V5, V9, IPFIX, SFlow, KFlow • Need to resample? • Configured Sample Rate • Launch Client Process for each device • Poll for device changes • Monitor health • Relaunch of client crash proxy proxy proxy
BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay proxy proxy proxy kFlow (HTTP) kFlow (HTTP) client C client C client C Client (where the magic happens) • One per device configured to send flow • * goes in, KFlow comes out client C NetFlow SFlow IPFix kFlow
Client Processing is a key enabler to useful data
Step 1: Normalization • Separate code paths for each type expected • CGO callouts
Step 2: Enrichment • BGP - Route data for xxx • GeoIP - Where does my traffic start and end • SNMP - Interface names and descriptions • Tagging - business classification: cost-centers, user-info, peering info • App Specific Data - URL/DNS requests, MYSQL query • Performance data (NPM) - Retransmits, network latency, appl latency • coming soon: • Timestamped event Data (syslog) • Threat feeds
DATA FUSION in CLIENT Decoder Modules Mem Tables NetFlow v5 NetFlow v9 IPFIX BGP RIB Custom Tags SNMP Poller BGP Daemon Enrichment DB DATA FUSION Geo ←→ IP ASN ←→ IP SFlow ROUTER FLOW FRIENDLY DATASTORE Single flow fused row sent to storage PCAP PCAP agent proxy
Step 3: Resampling & Unification • Long term (>1 Month) • What a process (device) said over an hour • Two tricks: • Flow Unification • Resampling
Query+Storage layers achieving ‘ā la carte’ data consumption
Storage Layer • Fused KFlow as input...Cap'n Proto (like protobuffers) • Shard data into small chunks • HTTP to N distributed storage nodes • Metadata supervisor DB handles shard locations • Row Oriented to Column Oriented • Compressed using ZFS DISK
Multi-Tenancy DB Needed Multitenancy for a large-scale SaaS product Could not find other DB’s @scale with it We succeeded by building in: ● Fairness queries are chopped into small chunks, users are rate limited and prioritized ● Security data is isolated between “users” down to the thread level ● Multiuser caching with fairness Built a cache that cannot be monopolized by any 1 user
Ingest & Fusion layer Storage layer (flow specific) Query layer Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ ● SQL interface PSQL FDW ● UI/UX feat. advanced data-viz ● REST API based interface build your own
Viz-rich UI
SELECT flow FROM router WHERE … SQL
API
Anomaly Detection and Streaming Databases
Anomaly Detection ● Network + NPM specific ● Policy based, customizable ● Granular itemization and metrics ○ look at top-100 Country, IP, Port, ASN, site, path,... ○ Unique senders, bps, pps, rxmits, latency ● Over/under static thresholds ● Over/under what’s “normal” (baselining) ● Perform actions ○ E-mail, Slack, JSON, Pagerduty ○ Mitigation (A10, Radware, BGP)
• DDoS is a simple use case of anomaly detection • V1 anomaly detection relied on KDE queries. Abusive • V2 needed stream processing and in-ram baseline storage • Typically avoided streaming db’s due to aggregation • Streaming db’s for anomaly detection+our long term flow storage is a powerful combination • Evaluated Spark, Storm, Samza, PipelineDB. Fail Detecting Anomalies
BGP VIP KDE ingest layer enKryptor Storage layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C Streaming layer
Aggregation Layer #2 POLICIES kFlow Multiple kFPS Policy #1 Policy #2 1s 1s 1s 1s 1s 1s Aggregation Layer #1 1min Σ Σ Σ Aggregation Layer #3 Policy #1 Policy Aggregation Filter Policy Thresholds & Actions 1hour Σ Threshold Comparator Action Triggers
kentik.com/nfd14

Recommandé

Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)gvillain
 
Rdf入門handout
Rdf入門handoutRdf入門handout
Rdf入門handoutSeiji Koide
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 
오픈소스 모니터링비교
오픈소스 모니터링비교오픈소스 모니터링비교
오픈소스 모니터링비교sprdd
 
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発KnowledgeGraph
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker ForensicsJoel Lathrop
 
OpenVirtex (OVX) Tutorial
OpenVirtex (OVX) TutorialOpenVirtex (OVX) Tutorial
OpenVirtex (OVX) Tutorial동호 손
 
MPLS & BASIC LDP
MPLS & BASIC LDPMPLS & BASIC LDP
MPLS & BASIC LDPReza Farahani
 

Recommandé

Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)gvillain
 
Rdf入門handout
Rdf入門handoutRdf入門handout
Rdf入門handoutSeiji Koide
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 
오픈소스 모니터링비교
오픈소스 모니터링비교오픈소스 모니터링비교
오픈소스 모니터링비교sprdd
 
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発
Linked Open Data勉強会2020 後編:SPARQLの簡単な使い方、SPARQLを使った簡単なアプリ開発KnowledgeGraph
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker ForensicsJoel Lathrop
 
OpenVirtex (OVX) Tutorial
OpenVirtex (OVX) TutorialOpenVirtex (OVX) Tutorial
OpenVirtex (OVX) Tutorial동호 손
 
MPLS & BASIC LDP
MPLS & BASIC LDPMPLS & BASIC LDP
MPLS & BASIC LDPReza Farahani
 
Optimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan KrosnovOptimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan KrosnovOpenNebula Project
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark OperatorDeploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark OperatorDatabricks
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
Deep Dive - DynamoDB
Deep Dive - DynamoDBDeep Dive - DynamoDB
Deep Dive - DynamoDBAmazon Web Services
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Json ld 簡介
Json ld 簡介Json ld 簡介
Json ld 簡介bobo52310
 
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법JC Park
 
Day one-poster-junos-cos
Day one-poster-junos-cosDay one-poster-junos-cos
Day one-poster-junos-cosdborsan
 
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)Emil Eifrem
 
Apache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time ActionApache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time ActionJoão Gabriel Lima
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stablejuet-y
 
Zabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André DéoZabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André DéoAndré Déo
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Core Graphics & Core Animation
Core Graphics & Core AnimationCore Graphics & Core Animation
Core Graphics & Core AnimationAndreas Blick
 
In-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction supportIn-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction supportAlexander Korotkov
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료Sejeong Kim 김세정
 
Neo4j for Total Cost Visibility
Neo4j for Total Cost VisibilityNeo4j for Total Cost Visibility
Neo4j for Total Cost VisibilityNeo4j
 
HDFS: Optimization, Stabilization and Supportability
HDFS: Optimization, Stabilization and SupportabilityHDFS: Optimization, Stabilization and Supportability
HDFS: Optimization, Stabilization and SupportabilityDataWorks Summit/Hadoop Summit
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
Cloud Migration
Cloud MigrationCloud Migration
Cloud MigrationJolyne Marie
 

Contenu connexe

Tendances

Optimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan KrosnovOptimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan KrosnovOpenNebula Project
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark OperatorDeploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark OperatorDatabricks
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Json ld 簡介
Json ld 簡介Json ld 簡介
Json ld 簡介bobo52310
 
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법JC Park
 
Day one-poster-junos-cos
Day one-poster-junos-cosDay one-poster-junos-cos
Day one-poster-junos-cosdborsan
 
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)Emil Eifrem
 
Apache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time ActionApache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time ActionJoão Gabriel Lima
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stablejuet-y
 
Zabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André DéoZabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André DéoAndré Déo
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Core Graphics & Core Animation
Core Graphics & Core AnimationCore Graphics & Core Animation
Core Graphics & Core AnimationAndreas Blick
 
In-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction supportIn-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction supportAlexander Korotkov
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationAndy Davidson
 
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료Sejeong Kim 김세정
 
Neo4j for Total Cost Visibility
Neo4j for Total Cost VisibilityNeo4j for Total Cost Visibility
Neo4j for Total Cost VisibilityNeo4j
 

Tendances (20)

Optimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan KrosnovOptimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
Optimization of OpenNebula VMs for Higher Performance - Boyan Krosnov
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark OperatorDeploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
Deploying Apache Spark Jobs on Kubernetes with Helm and Spark Operator
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
 
Deep Dive - DynamoDB
Deep Dive - DynamoDBDeep Dive - DynamoDB
Deep Dive - DynamoDB
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Json ld 簡介
Json ld 簡介Json ld 簡介
Json ld 簡介
 
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
Linux에서 Secondary VNIC와 Secondary Private IP 추가 방법
 
Day one-poster-junos-cos
Day one-poster-junos-cosDay one-poster-junos-cos
Day one-poster-junos-cos
 
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
A NOSQL Overview And The Benefits Of Graph Databases (nosql east 2009)
 
Apache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time ActionApache Spark and MongoDB - Turning Analytics into Real-Time Action
Apache Spark and MongoDB - Turning Analytics into Real-Time Action
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
 
Zabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André DéoZabbix e SNMP - Zabbix Conference LatAm - André Déo
Zabbix e SNMP - Zabbix Conference LatAm - André Déo
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Core Graphics & Core Animation
Core Graphics & Core AnimationCore Graphics & Core Animation
Core Graphics & Core Animation
 
In-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction supportIn-memory OLTP storage with persistence and transaction support
In-memory OLTP storage with persistence and transaction support
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
[한국IBM] 엔터프라이즈 AI 검색엔진 Watson Discovery 소개자료
 
Neo4j for Total Cost Visibility
Neo4j for Total Cost VisibilityNeo4j for Total Cost Visibility
Neo4j for Total Cost Visibility
 
HDFS: Optimization, Stabilization and Supportability
HDFS: Optimization, Stabilization and SupportabilityHDFS: Optimization, Stabilization and Supportability
HDFS: Optimization, Stabilization and Supportability
 

Similaire à Kentik Detect Engine - Network Field Day 2017

Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveMadhu Venugopal
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820innov-acts-ltd
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerLDAPCon
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsCisco DevNet
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...Altinity Ltd
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...HostedbyConfluent
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Guglielmo Iozzia
 
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT PROIDEA
 
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and ConfluentWebinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and ConfluentKinetica
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Puppet
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presalesMustafa Kuğu
 
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022HostedbyConfluent
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kevin Lynch
 
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...Flink Forward
 

Similaire à Kentik Detect Engine - Network Field Day 2017 (20)

Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Cloud Migration
Cloud MigrationCloud Migration
Cloud Migration
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
PLNOG 8: Kazimierz Jantas - Innowacyjne rozwiązania dla IT
 
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and ConfluentWebinar: Unlock the Power of Streaming Data with Kinetica and Confluent
Webinar: Unlock the Power of Streaming Data with Kinetica and Confluent
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presales
 
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
Azure Event Hubs - Behind the Scenes With Kasun Indrasiri | Current 2022
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
Flink Forward San Francisco 2019: Building production Flink jobs with Airstre...
 

Dernier

UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxPurva Nikam
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 

Dernier (20)

UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptx
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 

Kentik Detect Engine - Network Field Day 2017

  • 2. KDE Quick Stats (kentik detect engine) NetFlow in the Cloud • 125+ Billion Flows/Day stored • 1,000,000+ FPS • 50 “Large” Queries/s, thousands of sub-qps • 75+ TB flow data stored/day (25+ compressed) SNMP, BGP, network performance too!
  • 3. KDE High-Level • KDE is a hybrid system: ○ Fusing / Ingest Layer ○ Distributed column store db / query engine ○ Realtime stream processing for anomaly detection • We evaluated various existing engines: ES, Hadoop, Cassandra, Storm, Spark, SILK, Druid, Kafka.... • Couldn’t find performance, multi-tenancy, and network savvy so we wrote our own...
  • 4. Ingest & Fusion layer Storage layer (flow specific) Query layer Each layer has separate and different scaling characteristics Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ KDE architecture
  • 6. KDE Architecture BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C
  • 7. KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTPS) kFlow (HTTPS) proxy proxy proxy client C client C client C BGP VIP NetFlow (UDP) relay VIP + Relay • One IP bound to multiple servers • Sharded by Source-IP • Validate Sender as Kentik Customer • Pass flow on (raw UDP socket) to correct proxy • Relay handles load balancing (Kentik specific, UDP+TCP) relay
  • 8. Proxy BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay kFlow (HTTP) client C client C client C kFlow (HTTP) • Inspect flow & determine type: V5, V9, IPFIX, SFlow, KFlow • Need to resample? • Configured Sample Rate • Launch Client Process for each device • Poll for device changes • Monitor health • Relaunch of client crash proxy proxy proxy
  • 9. BGP VIP KDE ingest layer enKryptor Storage layer Streaming layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) relay relay proxy proxy proxy kFlow (HTTP) kFlow (HTTP) client C client C client C Client (where the magic happens) • One per device configured to send flow • * goes in, KFlow comes out client C NetFlow SFlow IPFix kFlow
  • 10. Client Processing is a key enabler to useful data
  • 11. Step 1: Normalization • Separate code paths for each type expected • CGO callouts
  • 12. Step 2: Enrichment • BGP - Route data for xxx • GeoIP - Where does my traffic start and end • SNMP - Interface names and descriptions • Tagging - business classification: cost-centers, user-info, peering info • App Specific Data - URL/DNS requests, MYSQL query • Performance data (NPM) - Retransmits, network latency, appl latency • coming soon: • Timestamped event Data (syslog) • Threat feeds
  • 13. DATA FUSION in CLIENT Decoder Modules Mem Tables NetFlow v5 NetFlow v9 IPFIX BGP RIB Custom Tags SNMP Poller BGP Daemon Enrichment DB DATA FUSION Geo ←→ IP ASN ←→ IP SFlow ROUTER FLOW FRIENDLY DATASTORE Single flow fused row sent to storage PCAP PCAP agent proxy
  • 14. Step 3: Resampling & Unification • Long term (>1 Month) • What a process (device) said over an hour • Two tricks: • Flow Unification • Resampling
  • 15. Query+Storage layers achieving ‘ā la carte’ data consumption
  • 16. Storage Layer • Fused KFlow as input...Cap'n Proto (like protobuffers) • Shard data into small chunks • HTTP to N distributed storage nodes • Metadata supervisor DB handles shard locations • Row Oriented to Column Oriented • Compressed using ZFS DISK
  • 17. Multi-Tenancy DB Needed Multitenancy for a large-scale SaaS product Could not find other DB’s @scale with it We succeeded by building in: ● Fairness queries are chopped into small chunks, users are rate limited and prioritized ● Security data is isolated between “users” down to the thread level ● Multiuser caching with fairness Built a cache that cannot be monopolized by any 1 user
  • 18. Ingest & Fusion layer Storage layer (flow specific) Query layer Query engine and UI Query interfaces SQL WWW REST Data sources Clients SELECT flow FROM router WHERE … >_ ● SQL interface PSQL FDW ● UI/UX feat. advanced data-viz ● REST API based interface build your own
  • 21. API
  • 23. Anomaly Detection ● Network + NPM specific ● Policy based, customizable ● Granular itemization and metrics ○ look at top-100 Country, IP, Port, ASN, site, path,... ○ Unique senders, bps, pps, rxmits, latency ● Over/under static thresholds ● Over/under what’s “normal” (baselining) ● Perform actions ○ E-mail, Slack, JSON, Pagerduty ○ Mitigation (A10, Radware, BGP)
  • 24. • DDoS is a simple use case of anomaly detection • V1 anomaly detection relied on KDE queries. Abusive • V2 needed stream processing and in-ram baseline storage • Typically avoided streaming db’s due to aggregation • Streaming db’s for anomaly detection+our long term flow storage is a powerful combination • Evaluated Spark, Storm, Samza, PipelineDB. Fail Detecting Anomalies
  • 25. BGP VIP KDE ingest layer enKryptor Storage layer kFlow (HTTPS) NetFlow (UDP) NetFlow (UDP) kFlow (HTTPS) kFlow (HTTP) kFlow (HTTP) relay relay proxy proxy proxy client C client C client C Streaming layer
  • 26. Aggregation Layer #2 POLICIES kFlow Multiple kFPS Policy #1 Policy #2 1s 1s 1s 1s 1s 1s Aggregation Layer #1 1min Σ Σ Σ Aggregation Layer #3 Policy #1 Policy Aggregation Filter Policy Thresholds & Actions 1hour Σ Threshold Comparator Action Triggers