Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart

•Surachai CHITPINITYON•Kasom KOHT-ARSA•Surasak SANGUANPONG•Anan PHONPHOEM•Pirawat WATANAPONGSE•Chalermpol CHUPAMPUN

•Office of Computer Services•Kasetsart University

•E-mail: [email protected]

Design and Implementation of Design and Implementation of Large Scale URL Filtering Large Scale URL Filtering

•APAN, Xi’an, Network Security, 29th August 2007

This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2Network Operation Center Kasetsart University Office of Computer Services

Agenda

Why Need URL Filtering? Filtering Techniques TCP Revisited Proposed Solution Performance Facts Current Deployment Scalability Planning for 10Gbps


Agenda

Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP RevisitedTCP Revisited Proposed SolutionProposed Solution Performance FactsPerformance Facts Current DeploymentCurrent Deployment Scalability Planning for 10GbpsScalability Planning for 10Gbps


Why Need URL Filtering?

Access Policy Enforcement Parental Control Other restricted website by Policy

Suspected Harmful Website (on-demand filtering) Spyware, Phishing Embedded Scripting Websites intend to attack

OS/Software Vulnerabilities


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering Techniques TCP RevisitedTCP Revisited Proposed Solution Proposed Solution Performance FactsPerformance Facts Current DeploymentCurrent Deployment


Gateway

Filtering Engine

Client

Internet

Pass-Through Web Filtering

Traffics must pass through the filtering engine (Firewall, Proxy, Application Gateway)

Create a queue of processing with delay Delay is depend on traffic volume and machine performance

1

2

3

??

Allow

Block

Unknown

4


Pass-by Web Filtering

Traffics are captured and passed by without queuing Zero delay, independent from traffic volume

Ease of Installation (No Traffic Interruption)

Non Blocking Traffic Stream

No Single Point of Failure Scalable

Gateway

Filtering Engine

Client

Internet

3

??

1 2

2


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP Revisited Proposed SolutionProposed Solution Performance FactsPerformance Facts Current DeploymentCurrent Deployment Scalability Planning for 10GbpsScalability Planning for 10Gbps


TCP Connection Establishment & Data Transfer

SYN J

SYN K , ACK J+1

ACK K+1

SYN_SENTSYN_SENT

ESTABLISEDESTABLISED

SYN_RCVDSYN_RCVDESTABLISEDESTABLISED

Data (request)

Data

(reply)

ClientClient ServerServer


TCP Connection Termination

FIN L

ACK L+1

CLOSE_WAITCLOSE_WAIT

FIN_WAIT_1FIN_WAIT_1

FIN_WAIT_2FIN_WAIT_2


LAST_ACKLAST_ACK FIN M

ACK

M+1

TIME_WAITTIME_WAIT

CLOSEDCLOSED


FilteringFiltering

TCP Session Hijacking

SYN J

SYN K , ACK J+1

ACK K+1

FIN L


Data (request)

Data

(reply)Packet will be ignoredPacket will be ignored

Faked FIN by Filtering EngineFaked FIN by Filtering Engine


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP RevisitedTCP Revisited Proposed Solution Performance FactsPerformance Facts Current Deployment Current Deployment Scalability Planning for 10GbpsScalability Planning for 10Gbps


Proposed Solution

Pass by method incorporated with 2 techniques Session HijackingSession Hijacking

Fast Sequence Number InterceptionFast Sequence Number Interception Keywords Capturing in Application Request Packet Keywords Capturing in Application Request Packet

URL Processing Designed toURL Processing Designed to Handle Hundred Million of URLs listHandle Hundred Million of URLs list Very fast access to URLs repositoryVery fast access to URLs repository


Session Hijacking

FIN L

ClientClient ServerServerFilteringFiltering

Data (request)

Data

(reply)

Successful filtering

ACK L+1Faked FINFaked FIN

FIN Mignoredignored

Unsuccessful filtering

ACK M+1

FIN L

Faked FINFaked FIN


GET

3

Keyword Capturing

Gateway

Filtering Engine

Client

Internet

GET/PUT/POST

1

GET

search

??

Matching

5

FIN2

GET

4

FIN

Black Lists

2

GET


URL Management Technique

Key design URL Compression Techniques In-Memory Balanced Tree of URLs Utilize KSpider’s Core Architecture (URL

Manager Module)

Benefits 69% Averaged Compression Ratio of

URLs Length (currently supported Max 268 Millions URLs List under 8 GB RAM)

Almost Linear Access Speed (10 microseconds by averaged


URL BufferQueue

URL BufferQueue

SchedulerScheduler

URL Manager

URL Storage Manager

URL Storage Manager

On Disk On Disk

ParallelDNS

ParallelDNS

In-memoryIn-memory

Storage

KSpider’s Architecture

URL Filter URL Filter

Data StreamerData Streamer

URL Processor

URL ExtractorURL Extractor

URL BufferQueue

URL BufferQueue

SchedulerScheduler

Communicator

ClusterCommunicator

ClusterCommunicator

Data Collector

URL BufferQueue

URL BufferQueue

Storage Manager

Data CompressorData Compressor

Data Decompressor Data Decompressor

HTTP DataCollector

HTTP DataCollector

Stats CollectorStats Collector

Online indexer Other processing

To Communicator

Storage


URL Compression Technique

Prefix Balance Search Tree

http://www.lovely.com

http://www.lion.com

http://www.lovely12.com

http://www.lovely11.net

http://www.lower13.net

Webscreen List 0 http://www.lovely.com/

1 12 ion.com 2 17 12.com

3 18 1.net 4 18 3.net


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP RevisitedTCP Revisited Core TechnologyCore Technology Performance Facts Current DeploymentCurrent Deployment Scalability Planning for 10GbpsScalability Planning for 10Gbps


Performance

0

5

10

15

20

25

30

35

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77

Compressed URL length

perc

ent f

ound

Hijack Activationunder 0.6 msec

Test Record268 Million URLs

with 8 GB

Avg. Search Time10 µsec

(350 µsec MAX with 268 Million URLs)

Memory Requirement

34M URL/GB

0

2

4

6

8

10

12

14

16

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43

Time used (millisecond)

Perc

ent f

ound

Performance collected under Dell 2900, Intel Xeon 5160(3Ghz)

69% compression ratio with average 26.5 bytes per URL


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP RevisitedTCP Revisited Core TechnologyCore Technology Performance FactsPerformance Facts Current Deployment Scalability Planning for 10GbpsScalability Planning for 10Gbps


Reference Site

3 Gbps 2 Gbps

EtherChannel 2 Gbps

Ethernet 1 Gbps

CPU : 2xDual Core Opteron 2.4 GhzRAM : 8 GBHD : SAS 146 GB

WebScreen Agent

Multiple Links/Interfaces

Operations since December 2005

Inter. GW Inter. GW

CAT Telecom

8 gigabit links span to 8 gigabit interfaces

in 4 machine


Collected Statistics

Avg. 110 request/s Dropping rate (9.5 M per day)

Peak 250 request/s Dropping rate

4.6 Gbps aggregated traffic 1.6 M packet/s incoming packets 64 K packet/s http request packets


Agenda

Why Need URL Filtering?Why Need URL Filtering? Filtering TechniquesFiltering Techniques TCP RevisitedTCP Revisited Core TechnologyCore Technology Performance FactsPerformance Facts Current DeploymentCurrent Deployment Scalability Planning for 10Gbps


Scalability Planning for 10Gbps

Solutions for 10 Gbps Link Deploy Traffic Distribution Device

(1x10 Gbps to 10x1 Gbps) Currently on the test of GigaVUE

GigaVUE1

LANLAN

Mirror port Mirror port

THAISARNUNINET

GigaVUE2

Typical servers can handle up to 800 Mbps

bit rate per 1 Gbps interface

1G

1G10G

10G

10G 10G

10G

10G 10G1G

1G 1G

1G

10G 10G


Q&A


Thank You

Documents

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart