This is the final part in a two-part blog series on using Cisco NetFlow to identify if your network is part of a botnet. Part 1 gave a quick overview of distributed denial of service (DDoS) attacks and how they’re often caused by botnets flooding Web sites with requests, thus making the Web site inaccessible to others.

It’s not just home computers that could be part of botnets. Any work computer could be compromised if users unwittingly download malware or visit malicious Web sites, putting corporate networks at risk.  How can Cisco NetFlow be used to identify DDoS attacks?

Watch the flow behavior
Network traffic monitoring using Cisco NetFlow can help identify suspicious behavior.  Use the Scrutinizer Vitals to see if a recent spike in overall flow volume collectively from all your routers has occurred:

Once you identify the router kicking out massive amounts of flows, drill in to determine who is receiving the most flows:

Use flow analytics
Scanning for threats from external sources can be used to identify whether an internal computer is part of a botnet. The Flow Analytics module of Scrutinizer features an Internet Threats Monitor that monitors all connections in and out of the Internet for such behavior. Flow Analytics, when used with the RST/ACK Destination algorithm and SYN Violation algorithm can help catch network worms.

“Network Behavior Analysis with Flow Analytics is an important part of our NetFlow Analysis software,” says Michael Patterson, Scrutinizer product manager. Our solution looks for network threats across hundreds of routers and deduplicates flows to ensure an accurate Unique Index is compiled per host. DDoS attack behaviors can be identified with well engineered mathematical algorithms.”

Here are some interesting links for further reading on botnets:

How my computer became a zombie

How Can I Tell If My Computer Is Part of a Botnet?

Busting bots: Defending against botnets

Tags: Cisco NetFlow, flow behavior, flow volume, flows, monitoring DDoS attacks with NetFlow, NetFlow Analysis software, Network Behavior Analysis, network threats, network traffic monitoring, routers, Scrutinizer, SYN Violations, unique index

This entry was posted on Wednesday, August 19th, 2009 at 11:40 am and is filed under IT News, NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor, Scrutinizer, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.