nanog mailing list archives
Re: Why do you use Netflow
From: Jack Bates <jbates () brightok net>
Date: Tue, 19 Aug 2003 16:23:14 -0500
Jason Frisvold wrote:
We used ip accounting the other night to detect and disable a large number of worm infected users that took out the router completely.. I think net flow would have been too much overhead at the time... Once we were down to a more manageable number of infected users, we used netflow to pinpoint them immediately... (Note, we don't leave netflow on all the time)
One method for limiting netflow accounting to manageable ammounts is to access-list the port involved. This is why I did institute 135 blocking. This flags the flow as inactive which only holds it for like 15 seconds on default. Of course, this still may not be enough for some routers. I just happen to have prepared for this actual event due to constant DDOS attacks about nine months ago (reverse view, change rule matches).
-Jack
Current thread:
- Why do you use Netflow lance_tatman (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow james (Aug 19)
- Message not available
- Re: Why do you use Netflow james (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Rules and Regs for a LEC's and Non LEC's Aaron D. Britt (Aug 19)
- Re: Rules and Regs for a LEC's and Non LEC's alex (Aug 19)