[nsp] NetFlow and DoS attacks - tuning

Charles Sprickman spork at inch.com
Sun Dec 14 02:40:17 EST 2003


Hi,

I'm very new to netflow and flow-tools, but I had to use them tonight to
try and figure out what was being hit and where from (thanks elr at panix!).

After we dug up what we wanted, we started wondering about what kind of
impact logging all the flows was having on the router (a vxr w/npe-300),
as it was falling down under a 20,000 pps hit at a 384K SDSL customer
behind it.

There appear to be some tunables for flow export:

router.bway.net(config)#ip flow-cache ?
  entries             Specify the number of entries in the flow cache
  feature-accelerate  Enable flow based feature acceleration
  timeout             Specify flow cache timeout parameters

But I'm not really sure what I should be setting these to.  I want some
data during an attack, as it seems flow-tools is almost mandatory for
figuring out what is being hit when the traffic doesn't exit the router to
a LAN segment, but I also don't want the router to sacrifice itself in the
process.

Any pointers?  Any real-world experience with tuning this?

Thanks,

Charles

--
Charles Sprickman
spork at inch.com



More information about the cisco-nsp mailing list