[nsp] NetFlow and DoS attacks - tuning
christopher_a_kane at bankone.com
christopher_a_kane at bankone.com
Mon Dec 15 09:51:12 EST 2003
Cisco paper about load:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm
-chris
Charles Sprickman <spork at inch.com>@puck.nether.net on 12/14/2003 02:40:17
AM
Sent by: cisco-nsp-bounces at puck.nether.net
To: cisco-nsp at puck.nether.net
cc:
Subject: [nsp] NetFlow and DoS attacks - tuning
Hi,
I'm very new to netflow and flow-tools, but I had to use them tonight to
try and figure out what was being hit and where from (thanks elr at panix!).
After we dug up what we wanted, we started wondering about what kind of
impact logging all the flows was having on the router (a vxr w/npe-300),
as it was falling down under a 20,000 pps hit at a 384K SDSL customer
behind it.
There appear to be some tunables for flow export:
router.bway.net(config)#ip flow-cache ?
entries Specify the number of entries in the flow cache
feature-accelerate Enable flow based feature acceleration
timeout Specify flow cache timeout parameters
But I'm not really sure what I should be setting these to. I want some
data during an attack, as it seems flow-tools is almost mandatory for
figuring out what is being hit when the traffic doesn't exit the router to
a LAN segment, but I also don't want the router to sacrifice itself in the
process.
Any pointers? Any real-world experience with tuning this?
Thanks,
Charles
--
Charles Sprickman
spork at inch.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.
More information about the cisco-nsp
mailing list