This is the final part in a two-part blog series on using Cisco NetFlow to identify if your network is part of a botnet. Part 1 gave a quick overview of distributed denial of service (DDoS) attacks and how they’re often caused by botnets flooding Web sites with requests, thus making the Web site inaccessible to others.

It’s not just home computers that could be part of botnets. Any work computer could be compromised if users unwittingly download malware or visit malicious Web sites, putting corporate networks at risk.  How can Cisco NetFlow be used to identify DDoS attacks?
Read more »

JFlow is a IP traffic flow sampler technology used by Juniper manufactured routers and switches. JFlow is considered a flow sampler technology much like Sflow, and when enabled on an interface; it allows packets in the input stream to be sampled. As the packets flow through an input stream the router/switch will look at each one, but only records new packets and discards any packets it has already seen.

JFlow is just one of three flow technologies available; among the 3 include Cisco’s Netflow and HP’s Sflow technologies. Each having their own strengths; Netflow records all packets while SFlow will only sample incoming traffic based on the packet ratio defined in the router configuration.

Milton

It’s interesting when evaluating performance or production, we all like to use percentages…
For example; your boss may ask that you give a project 110% of your attention and effort. Or the financial department reporting a 200% gain in profits for a particular quarter.

Either way, it just means a lot more to your company when you hear 200% gains rather than “We made X amount of dollars!” It’s just easier to understand.

Scrutinizer works no differently…
When trending your traffic, it’s much more appealing  to have interfaces showing a percentage utilization on an interface, rather than just seeing the raw data…
However, with our product, the percentages are based on a 0%-100% scale.
0% being that your interface has zero traffic going through, or 100%, where your interface is at its full use.

So what if you have an interface that is showing over utilization as demonstrated above?

Scrutinizer scales your traffic based on the amount of traffic recieved in 5 minutes and then divided by the port speed defined.

So for example, let’s say that you are monitoring a 1.5mb interface. Scrutinizer will take five 1 minute trends and then average them to present that utilization. So somewhere during that 5 minutes, you had a spike in utilization that was much greater than the 1.5mb ceiling defined in Scrutinizer. So as far as Scrutinizer is concerned, it reports the average being 247% as illustrated above.

So the first thing you want to verify is that the port speed in Scrutinizer is correct. If it seems correct, investigation may be needed to see why Scrutinizer is seeing so much traffic.
If you are using any kind of encryption on that interface, this may cause a problem. I would recommend that you give us a call to take a look.
Another option you might want to check; make sure your active timeouts on your routers are set so that your routers are exporting flows every minute. Please refer to our FAQ regarding how to check this.

If the problem still persists, please call us at our Support Desk and we’ll give you a hand.

-Nate