5.2 What NetFlow Can Help You Do

Imagine your network is hit by a denial of service attack. The first thing you notice is that your network has degraded connectivity to the rest of the Internet. The interface counters on your border router indicate a very high rate of traffic, and when you examine the MRTG graph, you see a sudden, dramatic rise in traffic levels. This all points to a possible denial of service attack. Turning to NetFlow, you examine the traffic in real time and notice a large number of connections from a single host, all to sequentially increasing IP addresses inside your network:

 srcIP          dstIP        prot srcPort dstPort octets packets   10.194.158.201 10.36.1.21   6    80      32966   466    1   10.54.59.138   10.209.0.60  17   32781   22      165    3   10.54.59.138   10.209.0.61  17   32781   22      165    3   10.54.59.138   10.209.0.62  17   32781   22      165    3   10.89.67.212   10.225.0.86  6    1751    1214    652    6   10.54.59.138   10.209.0.63  17   32781   22      165    3   10.54.59.138   10.209.0.64  17   32781   22      165    3   10.54.59.138   10.209.0.65  17   32781   22      165    3   10.54.59.138   10.209.0.66  17   32781   22      165    3   10.54.59.138   10.209.0.67  17   32781   22      165    3   10.54.59.138   10.209.0.68  17   32781   22      165    3   10.226.244.82  10.215.0.200 17   6257    6257    309    4 

Realizing this is someone scanning your network, you can now block the traffic at the border router and notify the network administrators at the remote site.