What helped ISP to comply with national data retention policy with low costs within complex network of 130+ sites with NAT translation

Most countries oblige its internet service providers to collect forensic data on who is communicating with whom. In essence it usually translates to netflow data. Mandatory data retention policy for operators ranges from 6 months to 5 years depending on the country.

What is the challenge for an operator to comply with national policy?

There are several challenges, all of them were the case for this operator:

• In order to identify the customer responsible for communication, an operator has to consider NAT translation – there can be many private IP addresses behind one public IP address.
• Architecture differs a lot among operators – some operator quite diverse network with many pop in many regions. In this case, there were individual isolated 130+ sites, each with its own NAT router.
• Routers can be of various vendors and firmware versions.
• Amount of traffic for small ISP is about 10K flows per second, up to 1M flows/s for large operators.
• Storing such a traffic’s netflow data is demanding.

ISP implemented following solution to comply Data retention policy:

• Operator setup export of (private traffic) netflow from 130+ routers
• In addition FLOWCUTTER probes were installed at perimeter to monitor public traffic

• Netflow data streams were continually sent to the central collector with FLOWCUTTER software.
• FLOWCUTTER supports all the incoming flow format NF5/8/IPFIX

The project was successfully delivered and all the expectations were met. Correct sizing of the project made sure ISP would be able to store the data for a necessary period for another 3 to 5 years.

In comparison to the competing projects, the solution including FLOWCUTTER results in 75% price tag decrease due to its versatility and broad compatibility because the operator was able to leverage its own resources and not buy the whole complete solution from scratch.

• Network probes
• Flow formats & compatibility
• Hardware appliance
• Flows compression ratio

The project was successfully delivered, expectations were met.

In addition, the total price tag was lowered by 75%.

Complaining customer handled with ease with context from traffic telemetry in ISP’s fingertips

Most calls to the support line of an operator are easy to deal with (missed payment, etc.). However few calls generate the majority of effort and time of the support team, especially in case of technical support calls.

One of those recurrently complaining customers called his ISP support line. John, as always, complained that the internet doesn’t work and he needed it for work, e.g. online meetings (via Teams/Meet/Zoom).

A technical support person is not always an over-paid network admin. To rule out operator faults when “internet’s not working”, is not trivial and consumes time.

How to speed up dealing with such calls?

The goal is to help technical support personnel to get customer’s traffic context easily and fast?

• ISP had to collect and store netflow – traffic telemetry including NAT IP address translation to see individual customers behavior – a perfect job for  FLOWCUTTER collector.
• With FLOWCUTTER, an administrator can provide user-friendly dashboard to support team
• Upon calling he/she input customer’s IP into dashboard box and within second can see and understand basic behavior of the calling customer

From the dashboard, even less technical guy/gall can determine that an issue is not operator’s but on the customer’s side. For example he/she can give answers such:

1. Not working? I can see a lot of traffic passing down your line from TikTok (AS13869). Maybe someone at home is secretly watching videos instead of doing their homework.

There are more examples of what can be revealed within seconds about the customer:

• Upload/download
• Ports and protocols related to specific services: ftp, telnet, ssh
• IP is blacklisted
• Communication w/ botnet 
• Open ports and vulnerabilities visible from outside

• Netflow analysis in Grafana – “single host IP” dashboard
• SNMP vs Flow telemetry
• IP reputation
• AS and country of traffic origin
• Flows w/ NAT IP address translation to see individual customers behavior 

ISP support line can be overwhelmed by calls regarding technical issues. The first step is to rule out mistakes on the customer’s side, where the operator cannot influence things.

This is where FLOWCUTTER can help technical support personnel by providing customer’s traffic context.

1. 1. Provide user-friendly dashboard to support team
   2. Upon calling operator can see and understand basic behavior of the calling customer