Enhancing Global Network Monitoring with Magnifier

Authors: Tobias Bühler, Romain Jacob, Ingmar Poese, and Laurent Vanbever

Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation

Abstract

Monitoring where traffic enters and leaves a network is a routine task for network operators. In order to scale with Tbps of traffic, large Internet Service Providers (ISPs) mainly use traffic sampling for such global monitoring. Sampling either provides a sparse view or generates unreasonable overhead. While sampling can be tailored and optimized to specific contexts, this coverage–overhead trade-off is unavoidable.

Rather than optimizing sampling, we propose to “magnify” the sampling coverage by complementing it with mirroring. Magnifier enhances the global network view using a two-step approach: based on sampling data, it first infers traffic ingress and egress points using a heuristic, then it uses mirroring to validate these inferences efficiently. The key idea behind Magnifier is to use negative mirroring rules; i.e., monitor where traffic should not go. We implement Magnifier on commercial routers and demonstrate that it indeed enhances the global network view with negligible traffic overhead. Finally, we observe that monitoring based on our heuristics also allows to detect other events, such as certain failures and DDoS attacks.

Research Area: Network Analysis and Reasoning

People

Dr. Tobias Bühler

PhD student

2016—2023

Dr. Romain Jacob

Post-doc

Prof. Laurent Vanbever

Group Leader

Talk

BibTex

@INPROCEEDINGS{bühler2023enhancing,
	isbn = {978-1-939133-33-5},
	year = {2023},
	booktitle = {Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation},
	type = {Conference Paper},
	author = {Bühler, Tobias and Jacob, Romain and Poese, Ingmar and Vanbever, Laurent},
	abstract = {Monitoring where traffic enters and leaves a network is a routine task for network operators. In order to scale with Tbps of traffic, large Internet Service Providers (ISPs) mainly use traffic sampling for such global monitoring. Sampling either provides a sparse view or generates unreasonable overhead. While sampling can be tailored and optimized to specific contexts, this coverage–overhead trade-off is unavoidable. Rather than optimizing sampling, we propose to “magnify” the sampling coverage by complementing it with mirroring. Magnifier enhances the global network view using a two-step approach: based on sampling data, it first infers traffic ingress and egress points using a heuristic, then it uses mirroring to validate these inferences efficiently. The key idea behind Magnifier is to use negativemirroring rules; i.e., monitor where traffic should not go. We implement Magnifier on commercial routers and demonstrate that it indeed enhances the global network view with negligible traffic overhead. Finally, we observe that monitoring based on our heuristics also allows to detect other events, such as certain failures and DDoS attacks.},
	language = {en},
	address = {Berkeley, CA},
	publisher = {USENIX Association},
	title = {Enhancing Global Network Monitoring with Magnifier},
	PAGES = {1521 - 1539},
	Note = {20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2023); Conference Location: Boston, MA, USA; Conference Date: April 17-19, 2023}
}

Research Collection: 20.500.11850/612426

Slide Sources: https://gitlab.ethz.ch/projects/41219