nanog mailing list archives

Re: Why do you use Netflow

From: Jason Frisvold <friz () corp ptd net>
Date: Tue, 19 Aug 2003 16:32:47 -0400

On Tue, 2003-08-19 at 16:12, Jack Bates wrote:

Number one use for netflow, scan detections. I detect most users 
infected with a virus before remote networks can auto-gen a report. I 
also detect mail being sent from various customer machines. High volume 
traffic flags me so I can investigate if it's spam or not.


Cool.. I never thought of using it for this...

I can tell you (well, I won't without a court order, but I could) the 
username, or customer name (if static), of every worm infected user on 
my network at any given point in time. 50+ inactive flows for an IP 
address is definite worm sign. If you want to be more specific, do 
sequential scan checks on the flow data. Has been very useful in dealing 
with Blaster.


Worm Sign...  Dune...  Cool :)

We used ip accounting the other night to detect and disable a large
number of worm infected users that took out the router completely..  I
think net flow would have been too much overhead at the time...  Once we
were down to a more manageable number of infected users, we used netflow
to pinpoint them immediately...  (Note, we don't leave netflow on all
the time)

Netflow is particularly useful when utilizing NAT, as it's much easier 
to collected netflow data than translation tables.

On a cold, boring day, you can setup aggregates and generate cute little 
statistics for all sorts of things, and I hear it's useful in some 
scenarios.


Sounds like fun...  I wish I had slow boring days...  *grin*

-Jack

-- 
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz () corp ptd net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
      -- Albert Einstein [1879-1955]

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Why do you use Netflow lance_tatman (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
  - Re: Why do you use Netflow Petri Helenius (Aug 19)
    - RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
  - Re: Why do you use Netflow Jason Frisvold (Aug 19)
    - Re: Why do you use Netflow Jack Bates (Aug 19)
    - Re: Why do you use Netflow james (Aug 19)
    - Message not available
    - Re: Why do you use Netflow james (Aug 19)
- Re: Why do you use Netflow Jared Mauch (Aug 19)
- Re: Why do you use Netflow Paul A. Bradford (Aug 19)
  - Rules and Regs for a LEC's and Non LEC's Aaron D. Britt (Aug 19)
    - Re: Rules and Regs for a LEC's and Non LEC's alex (Aug 19)