[nsp] NetFlow and DoS attacks - tuning

christopher_a_kane at bankone.com christopher_a_kane at bankone.com
Mon Dec 15 09:51:12 EST 2003 

Cisco paper about load:

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm

-chris







Charles Sprickman <spork at inch.com>@puck.nether.net on 12/14/2003 02:40:17
AM

Sent by:  cisco-nsp-bounces at puck.nether.net


To:   cisco-nsp at puck.nether.net
cc:

Subject:  [nsp] NetFlow and DoS attacks - tuning



Hi,

I'm very new to netflow and flow-tools, but I had to use them tonight to
try and figure out what was being hit and where from (thanks elr at panix!).

After we dug up what we wanted, we started wondering about what kind of
impact logging all the flows was having on the router (a vxr w/npe-300),
as it was falling down under a 20,000 pps hit at a 384K SDSL customer
behind it.

There appear to be some tunables for flow export:

router.bway.net(config)#ip flow-cache ?
  entries             Specify the number of entries in the flow cache
  feature-accelerate  Enable flow based feature acceleration
  timeout             Specify flow cache timeout parameters

But I'm not really sure what I should be setting these to.  I want some
data during an attack, as it seems flow-tools is almost mandatory for
figuring out what is being hit when the traffic doesn't exit the router to
a LAN segment, but I also don't want the router to sacrifice itself in the
process.

Any pointers?  Any real-world experience with tuning this?

Thanks,

Charles

--
Charles Sprickman
spork at inch.com

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.

More information about the cisco-nsp mailing list