Scrutinizer v7.3 - Flow Analytics - DNS Hits - NetFlowKnights.com - NetFlow & sFlow Network Monitoring

Scrutinizer v7.3 – Flow Analytics – DNS Hits

Posted in Scrutinizer on November 30th, 2009 by Scottr

Let me start by saying, I hope that everyone had a great Thanksgiving. At our house, we fried two turkeys this year. It was the first time that we attempted this, and after reading all the warnings that came with the new fryer, I guess the fact that no one got hurt means that the holiday was a success.

Last week I began a series of blogs that introduce you to the new Flow Analytic tools that are available with Plixer International’s latest NetFlow and sFlow analysis tool, Scrutinizer v7.3.

As a Network Administrator, I’m sure that you spend some of your time trying to identify hosts on your networks that may be infected with some kind of mailer worm. Mailer worms have to do DNS lookups for a mail server for a particular domain when sending out spam.

The DNS violation looks for a large number of DNS lookups coming from a single host. Any host that is sending out large numbers of DNS queries in a short period of time should be looked at.

The threshold is simple and can be set within the Flow Analytics Overview gadget “inbound threshold”. This number reflects the number of DNS lookups a host does within a 5 minute period.

Of course, there are exceptions. Even Scrutinizer itself does large numbers of lookups to build a large DNS cache of the IP addresses it sees. In this case, you want to exclude the Scrutinizer server’s IP from this algorithm to avoid false positives.

All of these models are intended to help our customers with improved network traffic analysis and network traffic monitoring. I will be blogging about more of the new features and reports available in Scrutinizer v7.3 in the upcoming days, so be sure to check in.

-Scott

Tags: DNS Lookup, DNS Violation, Flow analytic tools, mailer worm, NetFlow, Network Traffic Analysis, network traffic monitoring, plixer, Plixer International, Scrutinizer v7, sFlow, Thanksgiving

This entry was posted on Monday, November 30th, 2009 at 4:23 pm and is filed under Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Scrutinizer v7.3 – Flow Analytics – DNS Hits”

Pramesh Says:

November 30th, 2009 at 8:00 pm
I want to know whether your software can provide real time data as provided by Internet Traffic Report on major routers around the world even if I do personally do not own them.

My point is if I want to monitor global internet traffic, obviously I can not and do not own all the routers, then can your software provide traffic details for those routers.
Jon Mills Says:

December 4th, 2009 at 10:23 am
Pramesh,

Scrutinizer uses NetFlow to gather network traffic data. The thing about NetFlow is that the router needs to be told where to send this NetFlow data. In our case, wherever Scrutinizer is installed. Without access to the router, then there is no way to have this data sent to Scrutinizer for reporting.

If you have NetFlow or sFlow capable routers or switches, then Scrutinizer can certainly monitoring the traffic moving through them, but it sounds like the situation you describe is quite a bit different.