Ben
07-25-2004, 01:42 AM
Netflow doesn't impact the CPU anywhere near as much, but it doesn't work on
all types of line cards (vips only?). You also get more information such as
source/destination port. You should check the processor of the vip card
before running it as well as the cpu.
In practice I often have to download and manipulate the text to find a
pattern but sometimes it's obvious what is going on.
interface command is simply 'ip route cache flow'
and then 'show ip cache flow'
"Gary" <reachus@netlink.info> wrote in message
news:gw60c.15074$TT5.12318@lakeread06...
>
> "Jeff C" <jeffc@garbageingarbageout.tv> wrote in message
> news:c7V%b.5916$Zp.4359@fed1read07...
> > "Gary" <reachus@netlink.info> wrote in
> > news:YRT%b.13970$TT5.8808@lakeread06:
> >
> > >
> > > "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> > > news:c1ovre$qvk$1@canopus.cc.umanitoba.ca...
> > >> In article <0fT%b.13968$TT5.12213@lakeread06>,
> > >> Gary <reachus@netlink.info> wrote:
> > >> :We are considering running IP Accounting on the handoff to our
> > >> :internal network to help identify target sof DoS attacks.
> > >>
> > >> :1. Is it that simple to spot the target
> > >> :2. What are the overheads of using this feature in terms of CPU
> > >> :as the router would already be stressed because of the DoS.
> > >>
> > >> What I gather from the discussions of others is that netflow is
> > >> more efficient than IP accounting.
> > >>
> > >> How would you get to the IP Accounting data? Were you thinking of
> > >> SNMP'ing for it? SNMP can add significantly to the processor load.
> > >>
> > >
> > > Ths was a simple DoS attacking one unprotected machine, but we could
> > > not track it as the router was stresssed.
> > >
> > > I think IP Accounting would have shown us what we needed but may have
> > > killed the router and it is that question I need to know about.
> > >
> > > Gary
> > >
> >
> > Yes you can push a router to unresponsiveness with ip accounting. I
don't
> > have any particulars about how much of a CPU hit it takes to run, sorry.
> > If you know the server that the DoS attack was centered on you may try
> > limiting source IPs and destination ports that are able to connect to
it.
> >
> > -Jeff C
>
> What about netflow - Would capturing this type of data for analysis help
> with DDoS's without helping to kill the router ?
>
> Gary
>
>
all types of line cards (vips only?). You also get more information such as
source/destination port. You should check the processor of the vip card
before running it as well as the cpu.
In practice I often have to download and manipulate the text to find a
pattern but sometimes it's obvious what is going on.
interface command is simply 'ip route cache flow'
and then 'show ip cache flow'
"Gary" <reachus@netlink.info> wrote in message
news:gw60c.15074$TT5.12318@lakeread06...
>
> "Jeff C" <jeffc@garbageingarbageout.tv> wrote in message
> news:c7V%b.5916$Zp.4359@fed1read07...
> > "Gary" <reachus@netlink.info> wrote in
> > news:YRT%b.13970$TT5.8808@lakeread06:
> >
> > >
> > > "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> > > news:c1ovre$qvk$1@canopus.cc.umanitoba.ca...
> > >> In article <0fT%b.13968$TT5.12213@lakeread06>,
> > >> Gary <reachus@netlink.info> wrote:
> > >> :We are considering running IP Accounting on the handoff to our
> > >> :internal network to help identify target sof DoS attacks.
> > >>
> > >> :1. Is it that simple to spot the target
> > >> :2. What are the overheads of using this feature in terms of CPU
> > >> :as the router would already be stressed because of the DoS.
> > >>
> > >> What I gather from the discussions of others is that netflow is
> > >> more efficient than IP accounting.
> > >>
> > >> How would you get to the IP Accounting data? Were you thinking of
> > >> SNMP'ing for it? SNMP can add significantly to the processor load.
> > >>
> > >
> > > Ths was a simple DoS attacking one unprotected machine, but we could
> > > not track it as the router was stresssed.
> > >
> > > I think IP Accounting would have shown us what we needed but may have
> > > killed the router and it is that question I need to know about.
> > >
> > > Gary
> > >
> >
> > Yes you can push a router to unresponsiveness with ip accounting. I
don't
> > have any particulars about how much of a CPU hit it takes to run, sorry.
> > If you know the server that the DoS attack was centered on you may try
> > limiting source IPs and destination ports that are able to connect to
it.
> >
> > -Jeff C
>
> What about netflow - Would capturing this type of data for analysis help
> with DDoS's without helping to kill the router ?
>
> Gary
>
>