[c-nsp] Traffic destined to IPs that are null routed, Netflow, and you!
Sven Huster
sven at huster.me.uk
Fri Mar 12 11:08:56 EST 2010
On 12 Mar 2010, at 15:36, Drew Weaver wrote:
> GSR 12810 /w E5 Line cards.
>
> I was using flow-tools and sorting by 'octets' and it didn't show up in there (it was a 500Mbps oops) So I would've expected to see that in there.
At least for E3 line cards you don't seems to see the drops in NetFlow exports
Very annoying for tracking ongoing attacks
--
Sven
>
> -Drew
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
> Sent: Friday, March 12, 2010 9:56 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Traffic destined to IPs that are null routed, Netflow, and you!
>
> On 12/03/10 13:23, Drew Weaver wrote:
>> Hi,
>>
>> I had an incident earlier this week where for "some reason" a large
>> amount of traffic was being sent to an IP that wasn't routed in my
>> network (was covered by the hold down).
>>
>> Ultimately I found the source/dest of the traffic by simply routing
>> all of the unused IPs to a server, and then used tcpdump.
>>
>> My question is, is it normal for this 'hold down' traffic not to show
>> up anywhere in Netflow?
>
> On what platform?
>
> It does show up in our netflow, on 6500/sup720.
>
> That said, the "out if" index is the ifIndex of Null0, which is NOT zero.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list