nanog mailing list archives
Re: Why do you use Netflow
From: Jason Frisvold <friz () corp ptd net>
Date: Tue, 19 Aug 2003 16:32:47 -0400
On Tue, 2003-08-19 at 16:12, Jack Bates wrote:
Number one use for netflow, scan detections. I detect most users infected with a virus before remote networks can auto-gen a report. I also detect mail being sent from various customer machines. High volume traffic flags me so I can investigate if it's spam or not.
Cool.. I never thought of using it for this...
I can tell you (well, I won't without a court order, but I could) the username, or customer name (if static), of every worm infected user on my network at any given point in time. 50+ inactive flows for an IP address is definite worm sign. If you want to be more specific, do sequential scan checks on the flow data. Has been very useful in dealing with Blaster.
Worm Sign... Dune... Cool :) We used ip accounting the other night to detect and disable a large number of worm infected users that took out the router completely.. I think net flow would have been too much overhead at the time... Once we were down to a more manageable number of infected users, we used netflow to pinpoint them immediately... (Note, we don't leave netflow on all the time)
Netflow is particularly useful when utilizing NAT, as it's much easier to collected netflow data than translation tables. On a cold, boring day, you can setup aggregates and generate cute little statistics for all sorts of things, and I hear it's useful in some scenarios.
Sounds like fun... I wish I had slow boring days... *grin*
-Jack
-- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz () corp ptd net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Why do you use Netflow lance_tatman (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow james (Aug 19)
- Message not available
- Re: Why do you use Netflow james (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Rules and Regs for a LEC's and Non LEC's Aaron D. Britt (Aug 19)
- Re: Rules and Regs for a LEC's and Non LEC's alex (Aug 19)