This is the final part in a two-part blog series on using Cisco NetFlow to identify if your network is part of a botnet. Part 1 gave a quick overview of distributed denial of service (DDoS) attacks and how they’re often caused by botnets flooding Web sites with requests, thus making the Web site inaccessible to others.

It’s not just home computers that could be part of botnets. Any work computer could be compromised if users unwittingly download malware or visit malicious Web sites, putting corporate networks at risk.  How can Cisco NetFlow be used to identify DDoS attacks?

Watch the flow behavior
Network traffic monitoring using Cisco NetFlow can help identify suspicious behavior.  Use the Scrutinizer Vitals to see if a recent spike in overall flow volume collectively from all your routers has occurred:

Network traffic flow volume
Once you identify the router kicking out massive amounts of flows, drill in to determine who is receiving the most flows:

Network traffic flow volume 2
Use flow analytics

Scanning for threats from external sources can be used to identify whether an internal computer is part of a botnet. The Flow Analytics module of Scrutinizer features an Internet Threats Monitor that monitors all connections in and out of the Internet for such behavior. Flow Analytics, when used with the RST/ACK Destination algorithm and SYN Violation algorithm can help catch network worms.

“Network Behavior Analysis with Flow Analytics is an important part of our NetFlow Analysis software,” says Michael Patterson, Scrutinizer product manager. Our solution looks for network threats across hundreds of routers and deduplicates flows to ensure an accurate Unique Index is compiled per host. DDoS attack behaviors can be identified with well engineered mathematical algorithms.”

Here are some interesting links for further reading on botnets:

How my computer became a zombie

How Can I Tell If My Computer Is Part of a Botnet?

Busting bots: Defending against botnets

Jake Bergeron author pic


Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.


Leave a Reply