Why do you use Netflow

• Previous message (by thread): Why do you use Netflow
• Next message (by thread): Why do you use Netflow
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason Frisvold wrote:

> 
> We used ip accounting the other night to detect and disable a large
> number of worm infected users that took out the router completely..  I
> think net flow would have been too much overhead at the time...  Once we
> were down to a more manageable number of infected users, we used netflow
> to pinpoint them immediately...  (Note, we don't leave netflow on all
> the time)

One method for limiting netflow accounting to manageable ammounts is to 
access-list the port involved. This is why I did institute 135 blocking. 
This flags the flow as inactive which only holds it for like 15 seconds 
on default. Of course, this still may not be enough for some routers. I 
just happen to have prepared for this actual event due to constant DDOS 
attacks about nine months ago (reverse view, change rule matches).

-Jack

• Previous message (by thread): Why do you use Netflow
• Next message (by thread): Why do you use Netflow
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]