6th March, 2020
Telecommunications providers are migrating data backbones to 100GbE to carry increasing traffic volume shared between multiple services and technologies such as mobile VoLTE, Virtual Network Functions (VNFs) and Software Defined Networking (SDN) infrastructure. Data is often exchanged through virtual tunnels, where threats can hide, making detection complex, decreasing network visibility and security.
Multiple tunnelling protocols including IPinIP, MPLS, GRE and GTP can be used, for example GPRS Tunnelling Protocol (GTP) is widely used in 3G, 4G and 5G Packet Core and Radio Access Networks enabling roaming subscribers to maintain bi-directional data connections with the public internet.
Monitoring tunnels using Telesoft’s 200Gbps FlowProbe
Telesoft have added decode for IPinIP, MPLS, GRE and GTP to their 200Gbps FlowProbe which now automatically detects and decodes data tunnels, generating un-sampled flow records on any detected tunnelled data. This adds visibility of massive amounts of previously hidden network traffic in carrier grade networks, helping with protection from attacks such as SMS Fraud, malware, GTP malformed packets, DDoS attacks, spoofing and overbilling attacks. One of our engineers explains how the FlowProbe does this:
- “Packets arrive at the FlowProbe and are passed to an FPGA Packet identifier that inspects the packet up to the transport layer i.e. UDP, TCP, SCTP etc. From this we determine the offset that points to the end of the transport layer allowing extraction of the IP tunnel parameters”.
- “Using the identified offset, we then perform checks for a match with criteria for any of the supported tunnelling protocols”.
- “If a match is found, the packet is tagged with the protocol detected (this value populates the TunnelDetails Iana field)”.
- “The packet is then passed through a byte stripper to remove the tunnel headers”.
- “The remaining bytes of the packet are parsed through a second packet identifier module to identify the tunnelled data”.
- “FPGA formatted Meta-data packets are then passed to an IPFIX stack to create the output IPFIX records which are now based on the flows within the tunnels”.