BotProbe - Botnet Traffic Capture Using IPFIX

Explore IPFIX and its application in botnet traffic capture through the BotProbe project in this 42-minute Security BSides London conference talk. Delve into the advantages of IPFIX over traditional packet capture methods, including its ability to capture traffic across layers 3-7 of the OSI model and achieve a 97% reduction in traffic volumes. Learn about the history of NetFlow, the development of IPFIX, and how its template extensibility enhances threat detection capabilities. Discover the potential applications of IPFIX in pre-event forensics, legal traffic interception, and improved traffic analysis times. Gain insights into botnet detection algorithms, the comparison between pcap and IPFIX, and the process of adapting capture methods for network big data scenarios.

Introduction
Outline
Background
Packet capture
Mirroring
Three drawbacks
What are the alternatives
NetFlow
How does it work
History lesson
IPFIX
IPFIX template
IPFIX is structured
botnet detection algorithms
pcap vs IPFIX
Applications of IPFIX
IPFIX exporter
Adapt capture
Network big data
Template extensibility
Collaboration