DOCSLIB.ORG

Flow-Based Compromise Detection Rick Hofstede Graduation Committee

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Flow-Based Compromise Detection Rick Hofstede Graduation Committee Flow-based Compromise Detection Rick Hofstede Graduation Committee Chairman: Prof. dr. P.M.G. Apers Promotor: Prof. dr. ir. A. Pras Co-promotor: Prof. Dr. rer. nat. G. Dreo Rodosek Members: dr. A. Sperotto University of Twente, The Netherlands Prof. dr. P.H. Hartel University of Twente, The Netherlands Delft University of Technology, The Netherlands TNO Cyber Security Lab, The Netherlands Prof. dr. ir. L.J.M. Nieuwenhuis University of Twente, The Netherlands Prof. dr. ir. C.T.A.M. de Laat University of Amsterdam, The Netherlands Prof. dr. ir. H.J. Bos VU University, The Netherlands Prof. Dr. rer. nat. U. Lechner Universit¨atder Bundeswehr M¨unchen, Germany Prof. Dr. rer. nat. W. Hommel Universit¨atder Bundeswehr M¨unchen, Germany Funding sources EU FP7 UniverSelf { #257513 EU FP7 FLAMINGO Network of Excellence { #318488 EU FP7 SALUS { #313296 EIT ICT Labs { #13132 (Smart Networks at the Edge) SURFnet GigaPort3 project for Next-Generation Networks CTIT Ph.D. thesis series no. 16-384 Centre for Telematics and Information Technology CTIT P.O. Box 217 7500 AE Enschede, The Netherlands ISBN: 978-90-365-4066-7 ISSN: 1381-3617 DOI: 10.3990/1.9789036540667 http://dx.doi.org/10.3990/1.9789036540667 Typeset with LATEX. Printed by Gildeprint, The Netherlands. Cover design by David Young. This thesis is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 3.0 Unported License. http://creativecommons.org/licenses/by-nc-sa/3.0/ This thesis has been printed on paper certified by FSC (Forest Stewarding Council). FLOW-BASED COMPROMISE DETECTION THESIS to obtain the degree of doctor at the University of Twente, on the authority of the Rector Magnificus, prof. dr. H. Brinksma, on account of the decision of the graduation committee, to be publicly defended on Wednesday, June 29, 2016 at 16:45 by Richard Johannes Hofstede born on May 28, 1988 in Ulm, Germany. This thesis has been approved by: Prof. dr. ir. A. Pras (promotor) Prof. Dr. rer. nat. G. Dreo Rodosek (co-promotor) Acknowledgements The list of people that contributed in one way or another to this thesis is almost endless. To avoid that I forget to include anyone here in this acknowledgement, I simply want to thank anyone who worked with me during my career as a Ph.D. student. You have helped shaping this thesis to what it has become. Thank you! Rick Hofstede Diepenveen, May 29, 2016 vi Abstract Brute-force attacks are omnipresent and manyfold on the Internet, and aim at compromising user accounts by issuing large numbers of authentication attempts on applications and daemons. Widespread targets of such attacks are Secure SHell (SSH) and Web applications, for example. The impact of brute-force at- tacks and compromises resulting thereof is often severe: Once compromised, at- tackers gain access to remote machines, allowing those machines to be misused for all sorts of criminal activities, such as sharing illegal content and participating in Distributed Denial of Service (DDoS) attacks. While the number of brute-force attacks is ever-increasing, we have seen that only few brute-force attacks actually result in a compromise. Those compromised devices are however those that require attention by security teams, as they may be misused for all sorts of malicious activities. We therefore propose a new paradigm in this thesis for monitoring network security incidents: compromise detection. Compromise detection allows security teams to focus on what is really important, namely detecting those hosts that have been compromised instead of all hosts that have been attacked. Speaking metaphorically, one could say that we target scored goals, instead of just shots on goals. A straightforward approach for compromise detection would be host-based, by analyzing network traffic and log files on individual hosts. Although this typically yields high detection accuracies, it is infeasible in large networks; These networks may comprise thousands of hosts, controlled by many persons, on which agents need to be installed. In addition, host-based approaches lack a global attack view, i.e., which hosts in the same network have been contacted by the same attacker. We therefore take a network-based approach, where sensors are deployed at strategic observation points in the network. The traditional approach would be packet-based, but both high link speeds and high data rates make the deployment of packet-based approaches rather expensive. In addition, the fact that more and more traffic is encrypted renders the analysis of full packets useless. Flow-based approaches, however, aggregate individual packets into flows, providing major advantages in terms of scalability and deployment. The main contribution of this thesis is to prove that flow-based compromise detection is viable. Our approach consists of several steps. First, we select two target applications, Web applications and SSH, which we found to be important targets of attacks on the Internet because of the high impact of a compromise and their wide deployment. Second, we analyze protocol behavior, attack tools and attack traffic to better understand the nature of these attacks. Third, we viii develop software for validating our algorithms and approach. Besides using this software for our own validations (i.e., in which we use log files as ground-truth), our open-source Intrusion Detection System (IDS) SSHCure is extensively used by other parties, allowing us to validate our approach on a much broader basis. Our evaluations, performed on Internet traffic, have shown that we can achieve detection accuracies between 84% and 100%, depending on the protocol used by the target application, quality of the dataset, and the type of the monitored network. Also, the wide deployment of SSHCure, as well as other prototype de- ployments in real networks, have shown that our algorithms can actually be used in production deployments. As such, we conclude that flow-based compromise detection is viable on the Internet. Contents 1 Introduction1 1.1 Compromise Detection.........................4 1.2 Network Monitoring..........................6 1.3 Objective, Research Questions & Approach.............9 1.4 Contributions.............................. 12 1.5 Thesis Organization.......................... 13 I Generic Flow Monitoring 19 2 Flow Measurements 21 2.1 History & Context........................... 22 2.2 Flow Monitoring Architecture..................... 25 2.3 Packet Observation........................... 28 2.4 Flow Metering & Export........................ 34 2.5 Data Collection............................. 47 2.6 Lessons Learned............................ 50 2.7 Conclusions............................... 55 3 Flow Measurement Artifacts 57 3.1 Related Work.............................. 58 3.2 Case Study: Cisco Catalyst 6500................... 59 3.3 Experiment Setup........................... 60 3.4 Artifact Analysis............................ 61 3.5 Conclusions............................... 66 II Compromise Detection 69 4 Compromise Detection for SSH 71 4.1 Background............................... 73 4.2 SSH Attack Analysis.......................... 76 4.3 Detecting SSH Brute-force Attacks.................. 79 4.4 Analysis of Network Traffic Flatness................. 83 4.5 Including SSH-specific Knowledge................... 96 4.6 Conclusions............................... 104 x CONTENTS 5 Compromise Detection for Web Applications 107 5.1 Background............................... 109 5.2 Histograms for Intrusion Detection.................. 112 5.3 Detection Approach.......................... 117 5.4 Validation................................ 122 5.5 Conclusions............................... 127 III Resilient Detection 129 6 Resilient Detection 131 6.1 Background & Contribution...................... 132 6.2 DDoS Attack Metrics......................... 133 6.3 Detection Algorithms.......................... 135 6.4 Validation................................ 138 6.5 Feasibility................................ 144 6.6 Conclusions............................... 151 7 Conclusions 153 7.1 Research Questions........................... 153 7.2 Discussion................................ 157 Appendix: A Minimum Difference of Pair Assignment (MDPA) 161 A.1 Calculation............................... 161 A.2 Normalization.............................. 162 Appendix: B CMS Backend URLs 163 Bibliography 165 Acronyms 181 About the Author 185 CHAPTER 1 Introduction The Internet has become a critical infrastructure that facilitates most digital communications in our daily lives, such as banking traffic, secure communications and video calls. This makes the Internet a prime attack target for criminals, nation-states and terrorists, for example [61]. When it comes to attacks, we there are two different classes that regularly make it to the news, namely those that are volumetric and aim at overloading networks and systems, such as Distributed Denial of Service (DDoS) attacks, and those that are particularly sophisticated, such as Advanced Persistent Threats (APTs). This is also confirmed by [158], but interestingly enough, it also reports brute-force attacks to be among the Top-3 of network attacks on the Internet [158], as shown in Figure 1.1. Although these attacks exist already for years, their popularity is increasing evermore [145], [147]. One of the main targeted services of these attacks is Secure SHell (SSH), a powerful protocol that allows for controlling systems remotely. The compromise of a target immediately results in adversaries gaining unprivileged control and the impact
Load more

Recommended publications
  • Copyright Hbbtv 2017 All Rights Reserved Test Suite V9.2.0 Test Id
    Copyright HbbTV 2017 All Rights Reserved Test Suite v9.2.0 Test Id Vers Title Approved Assertion If subtitles are enabled and a broadband delivered FALSE es.tdthibrida_7D7C0040 1 Broadband DVB subtitles in a TS are displayed TS_AVC_SD_25_HEAAC stream containing DVB subtitles (Nordig) is being presented, those subtitles shall be displayed. If subtitles are enabled and a broadband delivered Broadband Teletext subtitles in a TS are FALSE TS_AVC_SD_25_HEAAC stream containing EBU Teletext es.tdthibrida_7D7C0050 1 displayed (Nordig) subtitles is being presented, those subtitles shall be displayed. When broadband delivered subtitles are being displayed FALSE es.tdthibrida_7D7C0060 1 Broadband Subtitles Below Application Graphics in an A/V control object, the subtitles shall be displayed (Nordig) behind the application graphics plane The terminal's user interface shall have a user option FALSE that controls whether auto-start applications are es.tdthibrida_7D7C0070 1 Auto-start applications enabled by default (Nordig) launched automatically, and when in its default manufacturer state this option shall be enabled When the receiver has its default manufacturer-set Application launching with network connection FALSE configuration and the terminal is tuned to a service fr.hdforum_00151000 2 available (Nordig) carrying an AIT signalling one AUTOSTART broadband application, the terminal shall start that application Terminal shall provide an EXIT or TV or comparable FALSE fr.hdforum_00151240 1 EXIT function is provided by receiver button either on a remote control or another control (Nordig) interface. Termination of autostart application using EXIT FALSE Terminal shall terminate a running autostart application fr.hdforum_00151250 1 function (Nordig) when the EXIT function (or equivalent) is used.
    [Show full text]
  • Elastic Load Balancing Application Load Balancers Elastic Load Balancing Application Load Balancers
    Elastic Load Balancing Application Load Balancers Elastic Load Balancing Application Load Balancers Elastic Load Balancing: Application Load Balancers Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Elastic Load Balancing Application Load Balancers Table of Contents What is an Application Load Balancer? .................................................................................................. 1 Application Load Balancer components ......................................................................................... 1 Application Load Balancer overview ............................................................................................. 2 Benefits of migrating from a Classic Load Balancer ........................................................................ 2 Related services ......................................................................................................................... 3 Pricing ...................................................................................................................................... 3 Getting started .................................................................................................................................
    [Show full text]
  • PID Service – an Advanced Persistent Identifier Management Service for the Semantic Web
    21st International Congress on Modelling and Simulation, Gold Coast, Australia, 29 Nov to 4 Dec 2015 www.mssanz.org.au/modsim2015 PID Service – an advanced persistent identifier management service for the Semantic Web P. Golodoniuc a, N. J. Car b, S. J. D. Cox c, and R. A. Atkinson d a CSIRO Mineral Resources Flagship, Kensington, WA, Australia b CSIRO Land & Water Flagship, Dutton Park, QLD, Australia c CSIRO Land & Waters Flagship, Highett, VIC, Australia d Metalinkage, Wollongong, NSW, Australia Email: [email protected] Abstract: Persistent identifiers are an integral part of the Semantic Web and Linked Data applications: they enable the stable identification of digital objects and may be used as a top-level application programming interface (API) to bind multiple representations of digital objects into a single, coherent, data model. In addition to these technical tasks, persistent identifiers and their management are of prime concern for the governance of Domain Name System (DNS)-based domains containing output from multiple parties that need to ensure identifier uniqueness as their first order of operation. Our contribution to solutions for the technical and governance challenges posed by identity management is the PID Service – a persistent identity service – which is a web service offering advanced persistent identifier management with features not found in proxy servers and other web redirection products. The PID Service is able to store and implement large numbers of complex Uniform Resource Indicator (URI) redirection rules and handle related sets of rules according to rule hierarchies. This, combined with a web-based graphical user interface and database rule storage, allows users of the PID Service to far more easily manage large numbers of complex rules within a domain avoiding rule collision and specialised partial URI delegation.
    [Show full text]
  • TR-069 CPE WAN Management Protocol V1.1
    TECHNICAL REPORT TR-069 CPE WAN Management Protocol v1.1 Version: Issue 1 Amendment 2 Version Date: December 2007 © 2007 The Broadband Forum. All rights reserved. CPE WAN Management Protocol v1.1 TR-069 Issue 1 Amendment 2 Notice The Broadband Forum is a non-profit corporation organized to create guidelines for broadband network system development and deployment. This Technical Report has been approved by members of the Forum. This document is not binding on the Broadband Forum, any of its members, or any developer or service provider. This document is subject to change, but only with approval of members of the Forum. This document is provided "as is," with all faults. Any person holding a copyright in this document, or any portion thereof, disclaims to the fullest extent permitted by law any representation or warranty, express or implied, including, but not limited to, (a) any warranty of merchantability, fitness for a particular purpose, non-infringement, or title; (b) any warranty that the contents of the document are suitable for any purpose, even if that purpose is known to the copyright holder; (c) any warranty that the implementation of the contents of the documentation will not infringe any third party patents, copyrights, trademarks or other rights. This publication may incorporate intellectual property. The Broadband Forum encourages but does not require declaration of such intellectual property. For a list of declarations made by Broadband Forum member companies, please see www.broadband-forum.org. December 2007 © The Broadband
    [Show full text]
  • Universal Worker Service Pattern Version 1.0
    Universal Worker Service Specification I nternational V irtual O bservatory A lliance Universal Worker Service Pattern Version 1.0 IVOA Proposed Recommendation 2010-09-08 Working Group: http://www.ivoa.net/twiki/bin/view/IVOA/IvoaGridAndWebServices This version: http://www.ivoa.net/Documents/PR/GWS/PR-UWS-1.0-20100210.html Latest version: http://www.ivoa.net/Documents/UWS/ Previous version(s): Internal Working Draft v0.1, 2005-01-24 Internal Working Draft v0.2, 2006-05-11 Internal Working Draft v0.3, 2007-04-26 Internal Working Draft v0.4, 2008-05-10 Internal Working Draft v0.5, 2008-10-08 Internal Working Draft v0.9, 2009-10-08 Public Working Draft v1.0, 2009-08-27 Proposed Recommendation v1.0, 2009-09-09 Proposed Recommendation v1.0, 2010-02-10 Author(s): P. Harrison, G. Rixon Abstract The Universal Worker Service (UWS) pattern defines how to manage asynchronous execution of jobs on a service. Any application of the pattern defines a family of related services with a common service contract. Possible uses of the pattern are also described. - 1 - Universal Worker Service Specification Status of This Document This document is produced by the GWS-WG. The first release of this document was on 2005-01-24 within the working group. This is an IVOA Proposed Recommendation made available for public review. Comments on this document should be posted at the RFC page http://www.ivoa.net/cgi-bin/twiki/bin/view/IVOA/ UWSV1RFC or can be sent to the Grid and Web Services Working Group via [email protected].
    [Show full text]
  • Alibaba Cloud
    AAlliibbaabbaa CClloouudd Alibaba Cloud SSerrvveer rL oLaoda Bda laBnaclearncer ListLeinsetresners Document Version: 20210922 Document Version: 20210922 Server Load Balancer List eners·Legal disclaimer Legal disclaimer Alibaba Cloud reminds you t o carefully read and fully underst and t he t erms and condit ions of t his legal disclaimer before you read or use t his document . If you have read or used t his document , it shall be deemed as your t ot al accept ance of t his legal disclaimer. 1. You shall download and obt ain t his document from t he Alibaba Cloud websit e or ot her Alibaba Cloud- aut horized channels, and use t his document for your own legal business act ivit ies only. The cont ent of t his document is considered confident ial informat ion of Alibaba Cloud. You shall st rict ly abide by t he confident ialit y obligat ions. No part of t his document shall be disclosed or provided t o any t hird part y for use wit hout t he prior writ t en consent of Alibaba Cloud. 2. No part of t his document shall be excerpt ed, t ranslat ed, reproduced, t ransmit t ed, or disseminat ed by any organizat ion, company or individual in any form or by any means wit hout t he prior writ t en consent of Alibaba Cloud. 3. The cont ent of t his document may be changed because of product version upgrade, adjust ment , or ot her reasons. Alibaba Cloud reserves t he right t o modify t he cont ent of t his document wit hout not ice and an updat ed version of t his document will be released t hrough Alibaba Cloud-aut horized channels from t ime t o t ime.
    [Show full text]
  • Browser Interoperability Requirements Approved Version 1.0 – 31 Mar 2008
    Browser Interoperability Requirements Approved Version 1.0 – 31 Mar 2008 Open Mobile Alliance OMA-RD-BrowserInteroperability-V1_0-20080331-A 2008 Open Mobile Alliance Ltd. All Rights Reserved. Used with the permission of the Open Mobile Alliance Ltd. under the terms as stated in this document. [OMA-Template-Spec-20080101-I] OMA-RD-BrowserInteroperability-V1_0-20080331-A Page 2 (49) Use of this document is subject to all of the terms and conditions of the Use Agreement located at http://www.openmobilealliance.org/UseAgreement.html. Unless this document is clearly designated as an approved specification, this document is a work in process, is not an approved Open Mobile Alliance™ specification, and is subject to revision or removal without notice. You may use this document or any part of the document for internal or educational purposes only, provided you do not modify, edit or take out of context the information in this document in any manner. Information contained in this document may be used, at your sole risk, for any purposes. You may not use this document in any other manner without the prior written permission of the Open Mobile Alliance. The Open Mobile Alliance authorizes you to copy this document, provided that you retain all copyright and other proprietary notices contained in the original materials on any copies of the materials and that you comply strictly with these terms. This copyright permission does not constitute an endorsement of the products or services. The Open Mobile Alliance assumes no responsibility for errors or omissions in this document. Each Open Mobile Alliance member has agreed to use reasonable endeavours to inform the Open Mobile Alliance in a timely manner of Essential IPR as it becomes aware that the Essential IPR is related to the prepared or published specification.
    [Show full text]
  • Memento: Time Travel for the Web
    Memento: Time Travel for the Web Herbert Van de Sompel Michael L. Nelson Robert Sanderson Los Alamos National Old Dominion University, Los Alamos National Laboratory, NM, USA Norfolk, VA, USA Laboratory, NM, USA [email protected] [email protected] [email protected] Lyudmila L. Balakireva Scott Ainsworth Harihar Shankar Los Alamos National Old Dominion University, Los Alamos National Laboratory, NM, USA Norfolk, VA, USA Laboratory, NM, USA [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION The Web is ephemeral. Many resources have representa- \The web does not work," my eleven year old son com- tions that change over time, and many of those represen- plained. After checking power and network connection, I tations are lost forever. A lucky few manage to reappear realized he meant something rather more subtle. The URI as archived resources that carry their own URIs. For ex- (http://stupidfunhouse.com) he had bookmarked the year ample, some content management systems maintain version before returned a page that didn't look like the original at pages that reflect a frozen prior state of their changing re- all, and definitely was not fun. He had just discovered that sources. Archives recurrently crawl the web to obtain the the web has a terrible memory. actual representation of resources, and subsequently make Let us restate the obvious: the Web is the most pervasive those available via special-purpose archived resources. In information environment in the history of humanity; hun- both cases, the archival copies have URIs that are protocol- dreds of millions of people1 access billions of resources2 using wise disconnected from the URI of the resource of which a variety of wired or wireless devices.
    [Show full text]
  • TR-069: CPE WAN Management Protocol
    TECHNICAL REPORT TR-069 CPE WAN Management Protocol Issue: Amendment 6 Corrigendum 1 Issue Date: June 2020 CWMP Version: 1.4 © Broadband Forum. All rights reserved. CPE WAN Management Protocol TR-069 Issue Amendment 6 Corrigendum 1 Notice The Broadband Forum is a non-profit corporation organized to create guidelines for broadband network system development and deployment. This Technical Report has been approved by members of the Forum. This Technical Report is subject to change. This Technical Report is owned and copyrighted by the Broadband Forum, and all rights are reserved. Portions of this Technical Report may be owned and/or copyrighted by Broadband Forum members. Intellectual Property Recipients of this Technical Report are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of this Technical Report, or use of any software code normatively referenced in this Technical Report, and to provide supporting documentation. Terms of Use 1. License Broadband Forum hereby grants you the right, without charge, on a perpetual, non- exclusive and worldwide basis, to utilize the Technical Report for the purpose of developing, making, having made, using, marketing, importing, offering to sell or license, and selling or licensing, and to otherwise distribute, products complying with the Technical Report, in all cases subject to the conditions set forth in this notice and any relevant patent and other intellectual property rights of third parties (which may include members of Broadband Forum). This license grant does not include the right to sublicense, modify or create derivative works based upon the Technical Report except to the extent this Technical Report includes text implementable in computer code, in which case your right under this License to create and modify derivative works is limited to modifying and creating derivative works of such code.
    [Show full text]
  • Payment by Token - Recurring Payment
    COLLECTING SOLUTION Payment by token - Recurring payment Implementation Guide Document version 3.11 Contents 1. HISTORY OF THE DOCUMENT.......................................................................................................4 2. OBTAINING HELP...............................................................................................................................6 3. PRESENTATION OF THE SERVICE.................................................................................................7 3.1. Uniqueness of registered payment methods............................................................................................... 8 4. COMPATIBLE PAYMENT METHODS...........................................................................................10 5. TOKEN SHARING.............................................................................................................................13 6. MANAGING TOKENS VIA THE PAYMENT FORM.................................................................... 14 6.1. Creating a token without payment............................................................................................................15 6.2. Updating token details...............................................................................................................................16 6.3. Creating a token during a payment...........................................................................................................17 6.4. Creating a token during a recurring payment...........................................................................................18
    [Show full text]
  • Kernel HTTPS/TCP/IP Stack for HTTP Ddos Mitigation
    Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. [email protected] Who am I? CEO & CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW – open source Linux Application Delivery Controller (ADC) Custom software development in: ● high performance network traffic processing e.g. WAF mentioned in Gartner magic quadrant ● Databases e.g. MariaDB SQL System Versioning https://github.com/tempesta-tech/mariadb https://m17.mariadb.com/session/technical-preview-temporal- querying-asof HTTPS challenges HTTP(S) is a core protocol for the Internet (IoT, SaaS, Social networks etc.) HTTP(S) DDoS is tricky ● Asymmetric DDoS (compression, TLS handshake etc.) ● A lot of IP addresses with low traffic ● Machine learning is used for clustering ● How to filter out all HTTP requests with “Host: www.example.com:80”? ● "Lessons From Defending The Indefensible": https://www.youtube.com/watch?v=pCVTEx1ouyk TCP stream filter IPtables strings, BPF, XDP, NIC filters ● HTTP headers can cross packet bounds ● Scan large URI or Cookie for Host value? Web accelerator ● aren’t designed (suitable) for HTTP filtering IPS vs HTTP DDoS e.g. Suricata, has powerful rules syntax at L3-L7 Not a TCP end point => evasions are possible SSL/TLS SSL terminator is required => many data copies & context switches or double SSL processing (at IDS & at Web server) Double HTTP parsing Doesn’t improve Web server peroformance (mitigation != prevention) Interbreed an HTTP accelerator and a firewall TCP & TLS end point Very fast
    [Show full text]
  • Troubleshoot Catalyst 9800 Wireless Controllers Serviceability Enhancements of the New Platform
    BRKEWN-3013 Troubleshoot Catalyst 9800 Wireless Controllers Serviceability enhancements of the new platform Nicolas Darchis, CX Technical Leader Session objectives • Understand the Catalyst 9800 WLC architecture in order to be able to know when to use which troubleshooting tool • software • hardware • relationship between these two • Understand how features process packets through IOS-XE • Understand how to easily debug the platform • presentation of recent serviceability enhancements • spare memorizing – focus on understanding • not “tips & tricks” but debugging strategy and tools BRKEWN-3013 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Introduction • C9800 general architecture • Hardware • Software • Life of a packet • IOS-XE logging architecture • General concepts • Logging features and techniques (multiple parts) • Packet captures and tracing • Useful commands and tools • Conclusion BRKEWN-3013 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Introduction • 1-2 years serviceability effort (and • Sudha Katgeri, US TAC TL more to come) • Nicolas Darchis, EMEA TAC TL • Testing and feedback since 16.7 code • Patnership with BU escalation (internal only) and engineering Tech Leads • TAC involved in serviceability requests 2 releases in advance • Cross-technology partnership within TAC and between BUs BRKEWN-3013 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Introduction Instructions unclear, got stuck in washing machine Debugging process is extremely different… …for the better ! … …once you understand why ! BRKEWN-3013 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Introduction • Serviceability is a journey with a clear destination … that is not yet in sight • Cisco AND customers want less TAC cases and faster/easier TAC cases BRKEWN-3013 © 2019 Cisco and/or its affiliates.
    [Show full text]