[c-nsp] NetFlow for Bandwidth Billing

Bill Nash billn at billn.net
Wed May 2 12:14:51 EDT 2007 

Adam! Long time, etc, etc.

[ not speaking to anyone in particular, just commenting on the brain dump ]

> As a general statement, I believe NetFlow is an incredibly useful traffic
> accounting technology ­ its application as a bandwidth billing mechanism is
> proven. A few comments and things to consider based on my experience working
> with NetFlow...
> 

Also, if you enable src/dst AS tagging on your flows (implies flow 
generation from a bgp speaking device, caveat emptor for load hits), you 
get the side affect of being able to see where your traffic is originating 
from, which gives you some leverage when deciding who to peer with (or who 
not to peer with).

> > My main concern is to understand the implications of using NetFlow for
> > bandwidth
> > billing, and if there are any major reasons "not" to do it this way.
> > 

There are a lot of benefits to flow based accounting, provided a good 
architecture that can handle the volume of data. It's very easy for 
netflow to run away from you, especially if you're dealing with duplicate 
flows.

Other things you can do with netflow: 

Portscan/backscatter detection - I use a 'tcp bullshit' filter that scraps 
any proto 6 flow with 3 packets or less (incomplete tcp session). It's 
like a squelch knob for the internet. Depending on your security 
requirements, this information may be interesting to you. For reducing 
analyzer load and raw flow retention, this may also be interesting to you.

Ghetto intrustion detection - If you inventory the services you expect to 
generating traffic on a given box (ssh, smtp, http being typical colo 
examples) and a box starts talking tor, bittorrent, ftp, or similiar, 
you're finding out after the fact, but at least you're finding out. You 
can also use this treatment to turn your entire network into a honeypot. 
Toss in a blackhole ospf/bgp routing toolset, and you can flip the 
bullshit filter upside down and start filtering top talkers.

Good Neighbor enforcement - Why is one box in your colo scanning all the 
others? If you're only enabling flows at the edge, you might miss out on 
this behavior.

Forensics - If you retain raw flows for any period of time, being able to 
go back and replay a given time period is helpful for reconstructing 
compromises.

- billn

More information about the cisco-nsp mailing list