Why do you use Netflow
Jack Bates
jbates at brightok.net
Tue Aug 19 20:12:57 UTC 2003
lance_tatman at agilent.com wrote:
> Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for
> some limited duration to collect your data and then go back and do your analysis. Is this assumption correct?
>
Netflow overhead is relatively low considering what it does. I keep mine
on at peering points.
> What are you looking at when you analyze this data? I've seen uses such as
> top 10 destination AS's for peering evaluations. What else? Billing?
>
Number one use for netflow, scan detections. I detect most users
infected with a virus before remote networks can auto-gen a report. I
also detect mail being sent from various customer machines. High volume
traffic flags me so I can investigate if it's spam or not.
I can tell you (well, I won't without a court order, but I could) the
username, or customer name (if static), of every worm infected user on
my network at any given point in time. 50+ inactive flows for an IP
address is definite worm sign. If you want to be more specific, do
sequential scan checks on the flow data. Has been very useful in dealing
with Blaster.
Netflow is particularly useful when utilizing NAT, as it's much easier
to collected netflow data than translation tables.
On a cold, boring day, you can setup aggregates and generate cute little
statistics for all sorts of things, and I hear it's useful in some
scenarios.
-Jack
More information about the NANOG
mailing list