[nsp] NetFlow and DoS attacks - tuning
Charles Sprickman
spork at inch.com
Sun Dec 14 02:40:17 EST 2003
Hi,
I'm very new to netflow and flow-tools, but I had to use them tonight to
try and figure out what was being hit and where from (thanks elr at panix!).
After we dug up what we wanted, we started wondering about what kind of
impact logging all the flows was having on the router (a vxr w/npe-300),
as it was falling down under a 20,000 pps hit at a 384K SDSL customer
behind it.
There appear to be some tunables for flow export:
router.bway.net(config)#ip flow-cache ?
entries Specify the number of entries in the flow cache
feature-accelerate Enable flow based feature acceleration
timeout Specify flow cache timeout parameters
But I'm not really sure what I should be setting these to. I want some
data during an attack, as it seems flow-tools is almost mandatory for
figuring out what is being hit when the traffic doesn't exit the router to
a LAN segment, but I also don't want the router to sacrifice itself in the
process.
Any pointers? Any real-world experience with tuning this?
Thanks,
Charles
--
Charles Sprickman
spork at inch.com
More information about the cisco-nsp
mailing list