One of the things that sets our NetFlow and sFlow analysis tool apart from our competitors is the dynamic reporting options that exist within our reporting engine.
I had a customer the other day show me how he was using Scrutinizer to catch DNS pirates.
Let’s take a look at how he setup the report filter to do this.
First, filter for the NetFlow capable switch or router and then add a second filter for the DNS request protocol (67 UDP Bootps).
The NetFlow trend will update as follows:
Next, we excluded our local DNS servers (10.1.1.132 and 10.1.4.1) Exclude as SRC or DST. Notice below that they are preceded by red squares instead of the include green square:
The report will update again. You will notice that the remaining data are DNS requests going to or from IP addresses on the local network that are not your DNS server. We can then set an inbound threshold of 1Kb and get an alarm when the pirating occurs:
Notice above that the size of the packets is very small. If your NetFlow Analyzer is not saving all the flows then you will probably will never find these hosts.
You can also use the NetFlow Matrix report to detect who the pirate is and who is talking to them:
Cool stuff and only with the Scrutinizer NetFlow and IPFIX collector.
Contact support if you have questions on this – (207)324-8805