VELOCITY : A NetFlow Based Optimized Geo-IP Lookup Tool

Abstract

It is a challenging task for network administrators to monitor their institution's network against undesirable behavior. While NetFlow is useful to gather flow-level data for any Internet connection, its feature is limited to traditional flow-level information such as source IP address, destination IP address, source port number, destination port number, and the protocol type. Thus, if we are to understand geographic dynamics of any flow connected to hosts at an institution from the outside world, it is not currently possible with NetFlow. To address for geo-location information of such flows, we developed the tool, VELOCITY. This tool allows to correlate IP addresses with geo-location information to visualize geo-location of incoming and outgoing flows. The VELOCITY tool consists of four different methods, with increasing order of efficiency of the methods. We found that Method 3 outperforms Methods 1 and 2 in case of filling database with geographical data for the first time. Method 4, which is an extension of Method 3, finds geographical information for IP addresses that are not present in the currently populated database, thereby providing a more optimized approach than Method 3 for incremental flow data. Furthermore, for visualization and near real time experience, we also developed a web application that displays geographical information of IP address of flows on Google maps.