On Tue, 30 Aug 2005, Viktor Steinmann wrote:
> We used netflow on all external interfaces towards upstream &
> peerings, so we could find out, how much traffic we were exchaning
> with which AS. It's quite a nice feature for peering policy decisions
> (or the decision, if you should change your upstream)
>
> The tool we used was flowscan
> (http://www.caida.org/tools/utilities/flowscan/), but I hear there
> are others as well (especially, if you are willing to shed out some money
> :-))
>
> Another nice use for netflow data are intrusion detection systems,
> that can find out unusual traffic patterns with heuristic methods.
> Since those systems are quite expensive, I don't have any first-hand
> experience, but I hear, they have a long learning period, need a lot
> of tweaking until they do, what they're supposed to do... If you're
> interested in this stuff, I guess Nico (Fischbach) is your man :-)
As I have worked with Nico on this area (security uses of NetFlow),
i'll take the freedom to hijack his potential answer :) The fact is,
you don't necessarily need to put big bucks, and simple heuristics
such as top speakers (top in bytes, packets, and / or duration) can
learn you a lot about potential misuses on your network. Good free
software is avalaible for that (nfdump / nfsen has already been
advertized by his author :))
In fact, we have set up a list [1] to host this kind of discussions
related to NetFlow: analysis, heuristics to be used, database design
(or not), ... At the end of the day, i'm not sure we all can come
with something as cool as the arbor products, but if it permits to
get the job done ...
(sorry for you nanogers)
- yann
[1] http://www.csrrt.org.lu/mailman/listinfo/flowop
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
