Why do you use Netflow
Jason Frisvold
friz at corp.ptd.net
Tue Aug 19 20:32:47 UTC 2003
On Tue, 2003-08-19 at 16:12, Jack Bates wrote:
> Number one use for netflow, scan detections. I detect most users
> infected with a virus before remote networks can auto-gen a report. I
> also detect mail being sent from various customer machines. High volume
> traffic flags me so I can investigate if it's spam or not.
Cool.. I never thought of using it for this...
> I can tell you (well, I won't without a court order, but I could) the
> username, or customer name (if static), of every worm infected user on
> my network at any given point in time. 50+ inactive flows for an IP
> address is definite worm sign. If you want to be more specific, do
> sequential scan checks on the flow data. Has been very useful in dealing
> with Blaster.
Worm Sign... Dune... Cool :)
We used ip accounting the other night to detect and disable a large
number of worm infected users that took out the router completely.. I
think net flow would have been too much overhead at the time... Once we
were down to a more manageable number of infected users, we used netflow
to pinpoint them immediately... (Note, we don't leave netflow on all
the time)
> Netflow is particularly useful when utilizing NAT, as it's much easier
> to collected netflow data than translation tables.
>
> On a cold, boring day, you can setup aggregates and generate cute little
> statistics for all sorts of things, and I hear it's useful in some
> scenarios.
Sounds like fun... I wish I had slow boring days... *grin*
> -Jack
--
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz at corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030819/a2a15d92/attachment.sig>
More information about the NANOG
mailing list