[c-nsp] 6500 real world (sampled) netflow

Jon Lewis jlewis at lewis.org
Mon Sep 2 20:36:59 EDT 2013


On Mon, 2 Sep 2013, Dobbins, Roland wrote:

> On Sep 3, 2013, at 4:34 AM, Jon Lewis wrote:
>
>> Having used it exactly for that, I disagree and am curious why you say
>> it's useless.
>
> Because in any Internet-facing environment with any kind of traffic 
> diversity, it's non-deterministically skewed.
>
> So, in a network environment of any scale, you can't actually know 
> whether or not a given source or destination is sending/receiving 
> unusual volumes of traffic, as you don't know what is usual.

Maybe if you're talking about using it in an IDS sort of way, I'd agree, 
but for detecting the sort of huge scale anomoly found in DoS attacks, no. 
At least for a "smaller" network that normally deals with traffic on the 
order a gbit/s or so, the Sup720's netflow data definitely is useful for 
DoS traffic characterization/investigation.  I haven't looked at netflow 
from one doing tens or hundreds of gbit/s.

I think your employer is clouding your vision.

Sure, netflow from a Sup720 isn't great, but if it's what you've got, it 
can be used and relied upon.  Maybe it doesn't play well with Arbor's 
products, but that only makes it useless to Arbor.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list