Why do you use Netflow
Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct? What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? -Lance-
RE: Why do you use Netflow
What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? -Lance- Also to get some application-specific bandwidth utilization numbers.
Re: Why do you use Netflow
[EMAIL PROTECTED] wrote: Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct? Netflow overhead is relatively low considering what it does. I keep mine on at peering points. What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? Number one use for netflow, scan detections. I detect most users infected with a virus before remote networks can auto-gen a report. I also detect mail being sent from various customer machines. High volume traffic flags me so I can investigate if it's spam or not. I can tell you (well, I won't without a court order, but I could) the username, or customer name (if static), of every worm infected user on my network at any given point in time. 50+ inactive flows for an IP address is definite worm sign. If you want to be more specific, do sequential scan checks on the flow data. Has been very useful in dealing with Blaster. Netflow is particularly useful when utilizing NAT, as it's much easier to collected netflow data than translation tables. On a cold, boring day, you can setup aggregates and generate cute little statistics for all sorts of things, and I hear it's useful in some scenarios. -Jack
Re: Why do you use Netflow
On Tue, Aug 19, 2003 at 12:55:33PM -0700, [EMAIL PROTECTED] wrote: Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct? What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? i've seen netflow used in a few situations: 1) it's actually kinda useful for DoS situations, you can easily look at the data flowing through the router and get some general idea of what the traffic looks like without a fancy sniffer, etc.. You can also do sh ip ca flow | inc K to see large flows which are useful in a flooding situation. 2) i personally use netflow on my home network (with the max cache size) to get an idea of what was going on a few minutes ago. i have a low enough set of traffic that this works. 3) i've seen others use netflow for peering analysis in the past but with transit costs so low, and other things unless you're peering now it's not really worthwhile to try and get into that marketspace as there's not a lot of money to be made. 4) i've seen people feed the netflow data into various sql based systems for analysis. this allows them to track trends, any large upticks in traffic (proto0, proto255, icmp, tcp/445 tcp/135) they are seeing on their network and generate alerts if it exceeds some pre-existing thresholds. you can always do more interesting things, the problem comes in storage of data, insuring you are doing 1:1 sampling, etc.. (hard on big pipes) - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Why do you use Netflow
Well, On ciscos, we use it to track down DOS attacks in a put it on, troubleshoot, take it off manner. Works great on not Catalyst stuff... put it on.. wait 30 seconds look for anything with K packets and you've got your bad guy, hopefully. Thanks, Paul On Tue, 2003-08-19 at 15:55, [EMAIL PROTECTED] wrote: Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct? What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? -Lance- -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-6663
Re: Why do you use Netflow
What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? -Lance- Also to get some application-specific bandwidth utilization numbers. I wonder how do you map your netflow data to applications? (if I understood correctly what you´re saying) Pete
Re: Why do you use Netflow
On Tue, 2003-08-19 at 16:12, Jack Bates wrote: Number one use for netflow, scan detections. I detect most users infected with a virus before remote networks can auto-gen a report. I also detect mail being sent from various customer machines. High volume traffic flags me so I can investigate if it's spam or not. Cool.. I never thought of using it for this... I can tell you (well, I won't without a court order, but I could) the username, or customer name (if static), of every worm infected user on my network at any given point in time. 50+ inactive flows for an IP address is definite worm sign. If you want to be more specific, do sequential scan checks on the flow data. Has been very useful in dealing with Blaster. Worm Sign... Dune... Cool :) We used ip accounting the other night to detect and disable a large number of worm infected users that took out the router completely.. I think net flow would have been too much overhead at the time... Once we were down to a more manageable number of infected users, we used netflow to pinpoint them immediately... (Note, we don't leave netflow on all the time) Netflow is particularly useful when utilizing NAT, as it's much easier to collected netflow data than translation tables. On a cold, boring day, you can setup aggregates and generate cute little statistics for all sorts of things, and I hear it's useful in some scenarios. Sounds like fun... I wish I had slow boring days... *grin* -Jack -- --- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [EMAIL PROTECTED] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --- Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. -- Albert Einstein [1879-1955] signature.asc Description: This is a digitally signed message part
RE: Why do you use Netflow
What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing? -Lance- Also to get some application-specific bandwidth utilization numbers. I wonder how do you map your netflow data to applications? (if I understood correctly what you´re saying) The caveat is that Netflow is useful for this purpose on a smallish test/research network, in which port numbers and/or combinations of port numbers and server addresses correllate to an application, which is what I happen to be doing. Naturally on a public backbone you'd want to substitute port-specific for application-specific.
Re: Why do you use Netflow
Jason Frisvold wrote: We used ip accounting the other night to detect and disable a large number of worm infected users that took out the router completely.. I think net flow would have been too much overhead at the time... Once we were down to a more manageable number of infected users, we used netflow to pinpoint them immediately... (Note, we don't leave netflow on all the time) One method for limiting netflow accounting to manageable ammounts is to access-list the port involved. This is why I did institute 135 blocking. This flags the flow as inactive which only holds it for like 15 seconds on default. Of course, this still may not be enough for some routers. I just happen to have prepared for this actual event due to constant DDOS attacks about nine months ago (reverse view, change rule matches). -Jack
Re: Why do you use Netflow
On a day like today, Net Flows was very useful to clue me into by some dial up users were dead in the water. 500kbs of incoming ICMP. James Edwards Routing and Security [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa
Re: Why do you use Netflow
: what sort of tools are you using to interpret netflow, other than cflowd : (which I've found overly complex and not graphical enough) CUGrapher.pl