In this chapter we presented a simple but very effective tool for the interactive analysis of flow records. Its main purpose is to »dig« into the components of special traffic events like peaks and surface as much as possible about how the flows look like that are responsible for the main traffic during that event.
For that purpose the user repeatedly chooses flow keys and the most interesting values from top N rankings in an iterative process, so that step by step more properties of the flows causing the event are determined.
We demonstrated with an example how a traffic peak could be traced back in only three iterations to FTP file transfers of four large files between two specific hosts.
Chapter 5
Distributed Monitoring of VoIP Traffic: SIPFIX
5.1 Motivation
The deployment of Voice-over-IP (VoIP)telephony is increasing fast. Not only are there more and more telephony service providers operating over the Internet and offering free VoIP-to-VoIP calls and cheap rates to PSTN telephones. The future telephony core networks, also known asNext-Generation-Networks, will be IP based as well, for example the mobile phone network defined by the 3rd Generation Partnership Project (3GPP) including the IP Multimedia Subsystem (IMS). Access providers also started to replace their classic analog and ISDN telephone lines with VoIP based products operating over broadband network technologies such as DSL or cable Internet.
So obviously the need for monitoring solutions for VoIP technologies is increasing as well. Coming from the perspective of a classical circuit-switched telephone network, VoIP brings many new possibilities and improvements, but also a multitude of new risks and challenges. While VoIP itself is part of the application layer it inherits all the properties of the packet switched IP network it is based on, like uncertain bandwidth, variable latency, changing routes and so on. Also has the user direct access to the transport layer, which increases the attack surface of the system security. So, in addition to the classical telephony monitoring needs for billing and the observation of the system-load, performance and operation-faults, there is the need to monitor many other features, which are necessary to measure the Quality-of-Service, verify call integrity or to detect harmful events like billing fraud,
68 5. Distributed Monitoring of VoIP Traffic: SIPFIX
Spam-over-IP-Telephony (SPIT), malicious rerouting, interception, manipulation and media injection, to name a few.
Also the borders between VoIP and similar applications like video telephony, media distribution and even instant messaging and email are getting more and more blurred, since the used technologies are constantly extended to support further application types. For example SIP, mainly used for media stream sessions, is being extended to support instant messaging with an extension called SIMPLE, while XMPP, mainly used for instant messaging, is just being extended with Jingle, which manages multimedia sessions in order to support voice and video chat. Obviously the trend goes towards rich signaling protocols, that manage contact relations between users and support real-time and off-line communication in different ways:
store and forward (like email), publish-subscribe (presence lists), hop-to-hop (like instant messaging) and setup of direct end-to-end media stream sessions (audio and video telephony, media streaming, white-board). Which paths the different kinds of communication take, whether signaling or content, is difficult to predict and may vary significantly.
This means that monitoring demands get broader and more complex with time, and so do the demands for a versatile and distributed solution able to support all these applications and open to constantly grow with them. But current monitoring schemes are either flexible and distributed ones, but designed for the monitoring of just the transport layer independently of the application layer, or they are application layer specific but static and monolithic, mainly based on APIs or log-file analysis of specific a server software. The latter ones cannot master the complexity of the aforementioned patterns of modern communication systems.
Therefore, a promising approach is to take an existing distributed monitoring scheme for the transport layer and extend it with components that do application layer analysis for specific application protocols and data structures that are able to keep and transport the extracted information. This results in a cross-protocol monitoring system, that is flexible, distributed and scalable in order to scope with the increasing complexity of the communication protocols.
In this chapter, based on the work in [Anderson et al. 2009], we will follow this
approach for the widely usedSession-Initiation-Protocol (SIP). Because of its broad deployment and since it is part of other standards like the aforementioned IMS of the 3GPP mobile phone network, it can be regarded as the most important among similar protocols. But of course the principles of this concept can easily be adapted to similar protocols like H.323, IAX or XMPP/Jingle.
First we will describe the specific problems of SIP monitoring and the resulting requirements for the monitoring scheme. Then we will shortly introduce IPFIX and the Mediator concept the scheme is based on. We will define new IPFIX Information Elements and Flow Types, which build the core of SIPFIX, describe the necessary and optional device extensions, and recommend the use of certain IPFIX optimizations. In the end we will present a series of use case examples and address some implementation issues.