North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Interesting new spam technique - getting a lot more popular.

  • From: Peter Phaal
  • Date: Thu Jun 15 14:11:31 2006

Has anyone considered using sFlow to detect this type of bad behavior? Many
layer 2 switches vendors mentioned in the discussion support sFlow (see
http://www.sflow.org/products/network.php for a list).

sFlow operates at layer 2 (think of it as a kind of remote sampled mirror
port capability that lets you capture the first 128 bytes of Ethernet frames
from every l2/l3 switch port in the data center). Information that you could
get from sFlow that is relevant to the discussion include: ingress switch
port, source and destination mac addresses, vlans, ip addresses, ARP targets
and senders, layer 4 protocol and ports.

Peter