Imagine your network is hit by a denial of service attack. The first thing you notice is that your network has degraded connectivity to the rest of the Internet. The interface counters on your border router indicate a very high rate of traffic, and when you examine the MRTG graph, you see a sudden, dramatic rise in traffic levels. This all points to a possible denial of service attack. Turning to NetFlow, you examine the traffic in real time and notice a large number of connections from a single host, all to sequentially increasing IP addresses inside your network: srcIP dstIP prot srcPort dstPort octets packets 10.194.158.201 10.36.1.21 6 80 32966 466 1 10.54.59.138 10.209.0.60 17 32781 22 165 3 10.54.59.138 10.209.0.61 17 32781 22 165 3 10.54.59.138 10.209.0.62 17 32781 22 165 3 10.89.67.212 10.225.0.86 6 1751 1214 652 6 10.54.59.138 10.209.0.63 17 32781 22 165 3 10.54.59.138 10.209.0.64 17 32781 22 165 3 10.54.59.138 10.209.0.65 17 32781 22 165 3 10.54.59.138 10.209.0.66 17 32781 22 165 3 10.54.59.138 10.209.0.67 17 32781 22 165 3 10.54.59.138 10.209.0.68 17 32781 22 165 3 10.226.244.82 10.215.0.200 17 6257 6257 309 4 Realizing this is someone scanning your network, you can now block the traffic at the border router and notify the network administrators at the remote site. |