[c-nsp] Netflow DDoS questions
Kim Onnel
karim.adel at gmail.com
Wed Dec 29 09:31:04 EST 2004
Dear list,
I am running Netflow on My main internet gateway (7609) on the edge,
and on another router (RPM 7200) that is in my core, the RPM is the
gateway for all VRFs carrying internet traffic from all PoPs to the
main internet gateway,
So all my internet traffic is passing on both the gateway and the RPM,
however, i captured the flows to files at the same time from both
routers and the result is very weird,
On the main internet gateway the file is 136 KB and on the Internet
VRFs gateway, the file is 5 MB, definitely there is a something wrong,
Obviously, the gateway doesnt report all the flows it sees, another
weird thing for me is, all the flows at the Main internet gateway are
mostly just 1 pkt, while on the other its alot more than that, going
from 1 upto 6000 pkts,
The Main internet gateway is a 7609 with Cisco Internetwork Operating
System Software
IOS (tm) s72033_rp Software (s72033_rp-PSV-M), Version 12.2(18)SXD, RELEASE SOFT
WARE (fc2)
The VRFs INTERNET gateway is a Cisco IOS Software, RPM Software
(RPM-JS-M), Version 12.3(7)T3, RELEASE SOFTWARE
(fc2)
My questions are:
1) is it normal to see all the flows 1 pkt only on the main internet gateway
2) what does it mean to have ALOT more flows at the RPM than the 7609
3) the flows on the RPM with huge pkt numbers 6000, they mostly have
random src/dst ports, so is that weird, DDoS ?
Many thanks
below is a sample from both,
The 7600 flows:
IP packet size distribution (874904843 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .915 .045 .005 .001 .000 .000 .000 .000 .001 .000 .000 .006 .000 .003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .002 .008 .003 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
1573 active, 63963 inactive, 778349044 added
4208449681 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 270536 bytes
1574 active, 14810 inactive, 295744870 added, 295744870 added to flow
0 alloc failures, 0 force free
1 chunk, 3 chunks added
last clearing of statistics 15w0d
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 3198 0.0 46 50 0.0 16.1 13.0
TCP-FTP 12100 0.0 1 52 0.0 1.0 14.6
TCP-FTPD 863 0.0 17 398 0.0 3.9 13.5
TCP-WWW 2190116 0.5 3 92 1.8 4.3 16.1
--More-- ��������� ���������TCP-SMTP 58904 0.0
5 79 0.0 2.4 13.7
TCP-X 401 0.0 14 538 0.0 1.6 13.7
TCP-BGP 196996 0.0 28 151 1.3 67.2 15.7
TCP-NNTP 611 0.0 10 110 0.0 3.4 13.3
TCP-Frag 47203 0.0 1 36 0.0 0.2 15.8
TCP-other 705049366 164.1 1 49 179.9 0.3 15.8
UDP-DNS 161522 0.0 10 90 0.4 8.4 15.8
UDP-NTP 8783 0.0 1 76 0.0 0.0 15.6
UDP-TFTP 198 0.0 1 88 0.0 1.4 15.7
UDP-Frag 50791 0.0 31 1144 0.3 23.5 15.7
UDP-other 41954476 9.7 1 290 11.8 0.4 15.8
ICMP 28610980 6.6 1 76 7.8 0.2 15.8
IPINIP 84 0.0 52 708 0.0 204.9 15.2
GRE 327 0.0 77 302 0.0 3.4 16.6
IP-other 877 0.0 134 164 0.0 8.0 15.2
Total: 778347796 181.2 1 67 203.7 0.3 15.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
PO4/0/0 82.164.119.23 Null 82.129.140.253 06 11A5 0087 1
Se3/0/0 64.157.32.1 Null 196.204.241.189 06 6377 008B 1
Se3/0/0 62.68.183.199 Null 62.68.226.12 06 0DB1 0087 1
PO4/0/0 82.49.16.143 Null 82.129.163.155 06 08D7 01BD 1
Se3/1/0 62.68.165.78 Null 62.68.239.199 06 0CA8 0087 1
--More-- ��������� ���������
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
PO4/0/0 62.68.165.174 Null 62.68.240.2 06 0C7C 01BD 1
Se3/1/0 62.68.161.253 Null 62.68.237.47 06 0A2E 0087 1
Se3/0/0 82.79.201.194 Null 82.129.197.164 06 1157 0087 1
Se3/0/0 62.68.165.174 Null 62.68.239.139 06 0C72 01BD 1
PO4/0/0 84.98.33.94 Null 62.12.116.210 06 1038 01BD 1
Se3/0/0 62.68.171.95 Null 62.68.237.156 06 0C85 01BD 1
Se3/1/0 62.68.175.208 Null 62.68.231.14 06 0F8C 0087 1
Se3/0/0 61.155.209.164 Null 196.204.241.68 06 0862 008B 1
Se3/0/0 62.68.167.29 Null 62.68.228.44 06 1335 01BD 1
PO4/0/0 166.90.208.138 Local 80.77.0.34 01 0000 0800 1
PO4/0/0 61.160.80.66 Null 62.68.244.94 06 0E1A 01BD 1
Se3/1/0 62.68.183.48 Null 62.68.225.46 06 0DCE 0087 1
Se3/0/0 82.226.86.165 Null 82.129.133.176 06 0F7C 0087 1
Se3/1/0 62.68.174.192 Null 62.68.231.135 06 0FFC 0087 1
PO4/0/0 82.100.230.206 Null 82.129.216.248 06 0B0F 0599 1
PO4/0/0 82.100.230.206 Null 82.129.216.254 06 0B15 0599 1
PO4/0/0 82.100.230.206 Null 82.129.216.255 06 0B16 0599 1
PO4/0/0 82.100.230.206 Null 82.129.216.251 06 0B12 0599 1
PO4/0/0 82.100.230.206 Null 82.129.216.250 06 0B11 0599 1
PO4/0/0 82.100.230.206 Local 82.129.216.249 06 0B10 0599 1
Se3/1/0 62.68.176.85 Null 62.68.225.238 06 0BCB 0087 1
PO4/0/0 62.209.163.12 Null 62.12.112.92 06 4574 01BD 1
PO4/0/0 62.68.167.165 Null 62.68.241.60 06 0F5B 0087 1
--More-- ��������� ���������
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se3/1/0 62.68.173.186 Null 62.68.239.238 06 068F 01BD 1
Se3/0/0 62.68.165.236 Null 62.68.225.196 06 11C7 0087 1
Se3/1/0 62.68.167.29 Null 62.68.228.8 06 1103 0087 1
Se3/1/0 62.204.103.105 Null 62.240.102.221 06 11F2 0087 1
Se3/0/0 62.68.161.226 Null 62.68.237.185 06 08F0 01BD 1
PO4/0/0 213.16.163.176 Null 213.255.144.91 06 137A 0087 1
Se3/0/0 62.68.164.58 Null 62.68.226.218 06 11B9 0087 1
Se3/1/0 65.99.145.156 Null 196.204.241.204 06 1156 01BD 1
PO4/0/0 62.68.174.247 Null 62.68.240.157 06 04F3 01BD 1
Se3/1/0 62.68.173.186 Null 62.68.229.177 06 0C76 01BD 1
PO4/0/0 213.22.126.79 Null 213.212.201.133 06 1024 0087 1
Se3/1/0 62.68.168.5 Null 62.68.232.32 06 0B18 0087 1
PO4/0/0 80.183.74.86 Null 82.129.151.78 06 0E86 01BD 1
PO4/0/0 62.68.171.166 Null 62.68.245.62 06 066D 0087 1
PO4/0/0 84.99.97.230 Null 84.205.109.172 06 120B 0087 1
PO4/0/0 217.216.226.18 Null 213.255.148.109 06 0850 0087 1
PO4/0/0 80.213.148.231 Null 62.12.126.101 06 F7FE 01BD 1
PO4/0/0 213.255.211.134 Null 213.255.145.145 06 11CB 01BD 1
Se3/1/0 62.68.161.253 Null 62.68.236.122 06 09F6 0087 2
Se3/0/0 62.68.174.247 Null 62.68.239.65 06 04C1 01BD 1
Se3/1/0 62.68.164.58 Null 62.68.233.104 06 11D7 0087 1
Se3/1/0 62.68.171.166 Null 62.68.239.194 06 07AC 0087 1
PO4/0/0 82.252.198.216 Null 82.129.245.93 06 09F6 0087 1
The RPM:
IP packet size distribution (35753M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.002 .614 .026 .030 .016 .006 .009 .004 .002 .003 .002 .003 .005 .002 .001
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.001 .003 .013 .020 .226 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
65531 active, 5 inactive, 1688826016 added
2016139950 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 270536 bytes
5 active, 16379 inactive, 154995 added, 154995 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 741279 0.1 16 174 2.8 40.3 34.0
TCP-FTP 2340064 0.5 11 79 6.4 5.6 36.2
TCP-FTPD 926829 0.2 100 1293 21.6 34.9 35.6
TCP-WWW 478919584 111.5 18 1051 2032.7 7.4 37.3
--More-- ��������� ���������TCP-SMTP 26664302 6.2
16 196 99.3 13.7 31.8
TCP-X 79261 0.0 19 446 0.3 18.3 32.5
TCP-BGP 92806 0.0 80 43 1.7 12.2 32.1
TCP-NNTP 435873 0.1 26 813 2.6 45.5 33.8
TCP-Frag 57536 0.0 6 83 0.0 10.7 34.8
TCP-other 889753436 207.1 25 195 5237.7 10.4 34.9
UDP-DNS 7619478 1.7 10 65 18.0 8.1 37.3
UDP-NTP 352748 0.0 1 76 0.0 2.3 39.0
UDP-TFTP 7354 0.0 310 156 0.5 155.7 33.1
UDP-Frag 47143 0.0 121 660 1.3 48.2 32.7
UDP-other 223056403 51.9 12 168 660.4 8.5 37.6
ICMP 57025651 13.2 10 56 134.8 16.2 36.7
IPINIP 6 0.0 12 132 0.0 49.0 40.2
GRE 154196 0.0 363 370 13.0 93.7 25.8
IP-other 486457 0.1 788 522 89.3 144.2 27.0
Total: 1688760406 393.1 21 406 8323.4 9.6 36.0
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/1 82.129.242.94 Sw1.5 82.129.245.204 06 0BDE 0087 2
Fa1/1.1 196.204.223.3 Null 196.204.199.27 06 0E40 01BD 2
Fa1/1.1 81.57.115.70 Sw1.5 82.129.166.66 11 37B6 1366 2
Fa2/1 196.204.223.3 Null 196.204.230.145 06 1139 01BD 2
Fa2/1 68.142.230.176 Sw1.4 82.129.245.146 06 0050 062F 6
--More-- ��������� ���������
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/1 68.142.230.176 Sw1.5 82.129.245.146 06 0050 062E 4
Fa2/1 83.41.68.184 Sw1.5 62.68.246.202 06 4392 1236 6035
Fa1/1.1 194.67.35.196 Sw1.4 213.212.235.178 06 0050 7FA9 5
Fa1/1.1 82.129.133.34 Sw1.1 82.129.224.186 06 053F 0087 2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/1 62.68.46.1 Sw1.1 62.240.116.147 01 0000 030D 53
Fa1/1.1 207.46.108.88 Sw1.2 62.68.252.54 06 0747 049D 2
Fa1/1.1 62.240.116.147 Fa2/1 62.240.118.160 06 07E0 0087 58
Fa2/1 196.204.224.7 Null 196.204.245.118 06 0AD8 01BD 1
Fa1/1.1 62.240.110.197 Sw1.2 62.240.124.158 11 0035 0089 1
Fa1/1.1 82.129.242.90 Fa2/1 82.129.159.101 06 0F6C 01BD 124
Fa2/1 61.185.28.41 Fa1/1.1 82.129.191.62 11 04A2 059A 57
Fa1/1.1 62.68.188.246 Sw1.4 62.68.245.186 06 0087 11B1 2
Fa2/1 62.104.191.203 Sw1.5 62.68.245.182 01 0000 0301 1
Fa2/1 61.229.0.6 Sw1.4 82.129.130.238 06 17E2 0B1C 3367
Fa2/1 81.241.135.66 Sw1.5 62.68.255.101 11 18CA 18CA 105
Fa1/1.1 82.129.242.88 Fa2/1 82.129.159.94 06 0C91 01BD 124
Fa2/1 82.227.196.122 Fa2/1 82.129.167.171 06 0DCC 0C38 174
Fa2/1 172.211.239.63 Sw1.2 213.212.232.206 11 205A 236D 1
Fa2/1 213.212.155.1 Sw1.1 213.212.229.25 01 0000 030D 21
Fa2/1 63.210.62.165 Sw1.5 82.129.134.154 06 0050 35B7 1
Fa1/1.1 82.129.133.34 Sw1.5 82.129.142.15 06 0FBE 0087 2
--
~Kim
More information about the cisco-nsp
mailing list