[nsp] NetFlow and DoS attacks - tuning

Paul Kohler pkohler at cisco.com
Mon Dec 15 02:08:08 EST 2003 

Hi Charles,

In answer to your questions:
- we have a NetFlow performance impact paper at
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm
that includes stats on 7200 w/ NPE400
- of the tunable entries for DoS attacks, as Nathan mentioned, I think the 
timers are what you can play with. Typically customers like to configure 
them lower than their default 15 sec for inactive and 30 min for active 
values so that possible attacks can more quickly be identified. For more 
info check
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm#1222819
- As Nathan alluded to, Flow-tools or any other app is not mandatory to 
successfully identify and mitigate a DoS attack. While an apps provide 
additional functionality or ease-of-use, you can still use CLI.
- Adding to Nathan's suggestions, also take a look at "sh ip cache verbose 
flow" which gives you some additional fields that may help you further 
narrow down an attack.
- Here's a good overview presentation
http://www.dfn-cert.de/dfn/berichte/db093/behringer-ddos.pdf
it covers NetFlow but also rate-limiting, CAR, uRPF, etc...

Paul

At 01:13 AM 12/14/2003, Nathan Patrick wrote:
>I've found "show ip cache flow" to be extremely useful in diagnosing DoS 
>attacks.
>
>Given the quantity of flow data that we archive, flow-tools searches take 
>quite some time. It's often faster to simply hop on the router and try 
>"show ip cache flow | inc K" to find IPs sourcing large amounts of 
>traffic, or taking a visual look at "show ip cache flow" for random source 
>IPs and their ingress interface. "show ip cache flow | inc <attacked IP>" 
>is also very useful, as it lets you know what's hitting a destination. 
>More advanced regexps can give you some interesting data.
>
>As for tuning, we set our inactive timeout to 300 seconds and active 
>timeout to 1 minute. The inactive timeout gets flows out of the cache 
>quickly, while the active timeout cuts up long running flows (news peers, 
>etc.) for graphing and some other applications. Other than that, we've 
>found the defaults to work well on NPE-400s as well as RSP4s. Note that 
>these parameters are not intended to reduce router load, but rather help 
>other applications.
>
>-Nathan
>
>Charles Sprickman wrote:
>
>>Hi,
>>
>>I'm very new to netflow and flow-tools, but I had to use them tonight to
>>try and figure out what was being hit and where from (thanks elr at panix!).
>>
>>After we dug up what we wanted, we started wondering about what kind of
>>impact logging all the flows was having on the router (a vxr w/npe-300),
>>as it was falling down under a 20,000 pps hit at a 384K SDSL customer
>>behind it.
>>
>>There appear to be some tunables for flow export:
>>
>>router.bway.net(config)#ip flow-cache ?
>>  entries             Specify the number of entries in the flow cache
>>  feature-accelerate  Enable flow based feature acceleration
>>  timeout             Specify flow cache timeout parameters
>>
>>But I'm not really sure what I should be setting these to.  I want some
>>data during an attack, as it seems flow-tools is almost mandatory for
>>figuring out what is being hit when the traffic doesn't exit the router to
>>a LAN segment, but I also don't want the router to sacrifice itself in the
>>process.
>>
>>Any pointers?  Any real-world experience with tuning this?
>>
>>Thanks,
>>
>>Charles
>>
>>--
>>Charles Sprickman
>>spork at inch.com
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list