Raffael Marty writes:

I am doing some research on NetFlow and wanted to ask you guys a few things: How are you using NetFlow? For what purposes? Billing? Security?

Yes, both billing (and coarse-grained traffic analysis on our upstream and peering connections) and security (detection and localization of malicious traffic, trend analysis, "cyberepidemiology" research).

Do you have NetFlow enabled on all your routers?

In our setup we only use data from our border (peering) routers.

Do you enable it on all the interfaces or just on the external/internal interface?

We have it enabled in the ingress direction on all interfaces, so that we can count all traffic both inbound and outbound through the router. Also our current platform (with current software) cannot enable Netflow selectively.

Do you utilize any tool to stitch the NetFlows back together? Why would you do that?

In the part I'm responsible for (billing etc.), I don't try to match related unidirectional flows to bidirectional flows. Maybe for security applications this would be more useful. At any rate it's difficult in our network, because the two directions often go through different routers.

I guess you can tell that I was never exposed to NetFlow in the ISP world. Any answers or comments are really appreciated.

I maintain a page with pointers to Netflow-related software packages - maybe you find it useful:

http://www.switch.ch/tf-tant/floma/software.html

On Tue, 30 Aug 2005, Viktor Steinmann wrote:

We used netflow on all external interfaces towards upstream & peerings, so we could find out, how much traffic we were exchaning with which AS. It's quite a nice feature for peering policy decisions (or the decision, if you should change your upstream)

The tool we used was flowscan (http://www.caida.org/tools/utilities/flowscan/), but I hear there are others as well (especially, if you are willing to shed out some money :-))

Another nice use for netflow data are intrusion detection systems, that can find out unusual traffic patterns with heuristic methods. Since those systems are quite expensive, I don't have any first-hand experience, but I hear, they have a long learning period, need a lot of tweaking until they do, what they're supposed to do... If you're interested in this stuff, I guess Nico (Fischbach) is your man :-)

As I have worked with Nico on this area (security uses of NetFlow), i'll take the freedom to hijack his potential answer :) The fact is, you don't necessarily need to put big bucks, and simple heuristics such as top speakers (top in bytes, packets, and / or duration) can learn you a lot about potential misuses on your network. Good free software is avalaible for that (nfdump / nfsen has already been advertized by his author :))

In fact, we have set up a list [1] to host this kind of discussions related to NetFlow: analysis, heuristics to be used, database design (or not), ... At the end of the day, i'm not sure we all can come with something as cool as the arbor products, but if it permits to get the job done ...

(sorry for you nanogers)

- yann

[1] http://www.csrrt.org.lu/mailman/listinfo/flowop

Hello,

Also for security features you can have a look at Arbor solutions (http://www.arbor.net). We are using this system for our network and it's damn hot :P

Cu,

Nico

--On August 30, 2005 12:25:31 -0400 Raffael Marty raffy@raffy.ch wrote:

| I am doing some research on NetFlow and wanted to ask you guys a few things: | | How are you using NetFlow? For what purposes? Billing? Security? Do you | have NetFlow enabled on all your routers? Do you enable it on all the | interfaces or just on the external/internal interface? Do you utilize any | tool to stitch the NetFlows back together? Why would you do that? | | I guess you can tell that I was never exposed to NetFlow in the ISP world. | Any answers or comments are really appreciated.

You may have a look at our tools from SWITCH-CERT. We use them mostly for security related issues.

Backend: http://nfdump.sourceforge.net/ Frontend: http://nfsen.sourceforge.net/

- Peter

| | Thanks | | -raffy | | -- | Raffael Marty, GCIA, CISSP | Senior Security Engineer @ ArcSight Inc. | _______________________________________________ | swinog mailing list | swinog@lists.swinog.ch | http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog |

-- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: peter.haag@switch.ch Web: http://www.switch.ch/

_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog