This is the final part in a two-part blog series on using Cisco NetFlow to identify if your network is part of a botnet. Part 1 gave a quick overview of distributed denial of service (DDoS) attacks and how they’re often caused by botnets flooding Web sites with requests, thus making the Web site inaccessible to others.

It’s not just home computers that could be part of botnets. Any work computer could be compromised if users unwittingly download malware or visit malicious Web sites, putting corporate networks at risk.  How can Cisco NetFlow be used to identify DDoS attacks?
Read more »

Good morning world.  At the beginning of the week I was helping a customer who found he had been attacked by the Downadup/conficker Worm. This worm pounded his network! The customer explained to me that the worm came in with a brute force attack, which infected his computers that were not updated. He then saw the traffic on his network almost triple. The Downadup/Conficker Worm generated 250 domain names per day that scanned his network, infected his computers, and tried to go to the Internet. Because of the way this customer had set up his network, the worm was not able to pass through his Proxy to the Internet.

The customer looked at his Flow Analytics and saw that he was having Excessive SYN Violations. SYN Violations indicate a denial-of-service attack. Because the worm was not able to get through the Proxy, it created a denial of service. This customer was able to click on the SYN Violations in Flow Analytics and pick off which computers were infected and patch them up.

The customer was able to patch up his servers and his computers in a timely manner with the help of Flow Analytics; traffic has slowed down and his network is back to normal.

Milton