North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Why do you use Netflow
On Tue, 2003-08-19 at 16:12, Jack Bates wrote: > Number one use for netflow, scan detections. I detect most users > infected with a virus before remote networks can auto-gen a report. I > also detect mail being sent from various customer machines. High volume > traffic flags me so I can investigate if it's spam or not. Cool.. I never thought of using it for this... > I can tell you (well, I won't without a court order, but I could) the > username, or customer name (if static), of every worm infected user on > my network at any given point in time. 50+ inactive flows for an IP > address is definite worm sign. If you want to be more specific, do > sequential scan checks on the flow data. Has been very useful in dealing > with Blaster. Worm Sign... Dune... Cool :) We used ip accounting the other night to detect and disable a large number of worm infected users that took out the router completely.. I think net flow would have been too much overhead at the time... Once we were down to a more manageable number of infected users, we used netflow to pinpoint them immediately... (Note, we don't leave netflow on all the time) > Netflow is particularly useful when utilizing NAT, as it's much easier > to collected netflow data than translation tables. > > On a cold, boring day, you can setup aggregates and generate cute little > statistics for all sorts of things, and I hear it's useful in some > scenarios. Sounds like fun... I wish I had slow boring days... *grin* > -Jack -- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [email protected] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955] Attachment:
signature.asc
|