[60905] in North American Network Operators' Group
Re: Why do you use Netflow
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Tue Aug 19 16:49:00 2003
From: Jason Frisvold <friz@corp.ptd.net>
To: Jack Bates <jbates@brightok.net>
Cc: lance_tatman@agilent.com, nanog@merit.edu
In-Reply-To: <3F4284C9.4050806@brightok.net>
Date: Tue, 19 Aug 2003 16:32:47 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--=-A6ybCu61QN43nXC1HlNe
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2003-08-19 at 16:12, Jack Bates wrote:
> Number one use for netflow, scan detections. I detect most users=20
> infected with a virus before remote networks can auto-gen a report. I=20
> also detect mail being sent from various customer machines. High volume=20
> traffic flags me so I can investigate if it's spam or not.
Cool.. I never thought of using it for this...
> I can tell you (well, I won't without a court order, but I could) the=20
> username, or customer name (if static), of every worm infected user on=20
> my network at any given point in time. 50+ inactive flows for an IP=20
> address is definite worm sign. If you want to be more specific, do=20
> sequential scan checks on the flow data. Has been very useful in dealing=20
> with Blaster.
Worm Sign... Dune... Cool :)
We used ip accounting the other night to detect and disable a large
number of worm infected users that took out the router completely.. I
think net flow would have been too much overhead at the time... Once we
were down to a more manageable number of infected users, we used netflow
to pinpoint them immediately... (Note, we don't leave netflow on all
the time)
> Netflow is particularly useful when utilizing NAT, as it's much easier=20
> to collected netflow data than translation tables.
>=20
> On a cold, boring day, you can setup aggregates and generate cute little=20
> statistics for all sorts of things, and I hear it's useful in some=20
> scenarios.
Sounds like fun... I wish I had slow boring days... *grin*
> -Jack
--=20
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
--=-A6ybCu61QN43nXC1HlNe
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/QoluRsoFMdDaiQgRAikgAKD6Xb/EkjeeLb3/YISf06eXISjzjwCgpJVB
PmMsImCcq/dyb+/gMlHLMx8=
=lb7r
-----END PGP SIGNATURE-----
--=-A6ybCu61QN43nXC1HlNe--
