[c-nsp] 6500 under DDoS

[Paul Kohler]

inline

At 06:38 AM 7/28/2004, Sam Stickland wrote:
>On Wed, 28 Jul 2004 Fredrik.Jacobsson at enskilda.se wrote:
>
>>Hi!
>>
>>I was about to try NBAR in our lab, but now I'm hesitating since I
>>cant see how we could take it into production with this knowledge :)
>>Would it be possible to create a span to a port where you connect a
>>router that has NBAR enabled? Or wont that give you any intresting info?
>
>Never tried this for NBAR specifically, but I can't see any reason why 
>this wouldn't work. We use span ports internally for this kind of 
>monitoring, and analyse the traffic on end-stations rather than routers. 
>IMO, well built servers, out of the routing path, make for far better 
>analysis boxes than software switched routers ;)
>
>>How about Netflow? Does that have the same drawbacks?
>
>Netflow will be in the hardware path, but it's not going to give you 
>nearly the same amount of information as NBAR as it won't do any kind of 
>payload analysis.

NetFlow is supported on both the PFC & MSFC. On the Sup 2 & 720 the 
majority of the traffic traverses the PFC where NetFlow is supported in 
hardware via the MLS cache.

NetFlow tracks the protocol and port #s so if the application uses a well 
known port number range, and the vast majority do, you can track the apps:
http://www.iana.org/assignments/port-numbers

For NetFlow information go to
www.cisco.com/go/netflow
and you can also check out the most recent Networkers presentation that has 
details on C6500 NetFlow support:
http://www.cisco.com/networkers/nw04/session_tbs.html
choose "Networkers Session Catalog" and the session is "NetFlow for 
Accounting, Analysis and Attack" (NMS-2032)

NBAR does deep packet inspection ie. layers 5 - 7 while NetFlow tops out at 
layer 4 (port #s).

Paul


>Sam
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/