Using Switches to
Detect a Abstracts Plane DoS
Because switches are broadcast all about a network, they are a acceptable agency to
detect a abnegation of account (DoS) advance or alike a baneful worm. NetFlow is a telemetry
system, and it allows not alone announcement and monitoring, but audition aberrant and suspicious
behavior, such as a breeding bastard or a DoS attack. A alien sensor alleged Remote
Monitoring (RMON) can affectation several arrangement parameters; a change from the baseline
of those ambit is a acceptable indicator of an aberrant event.
Detecting DoS with NetFlow
NetFlow1 is a acclaimed telemetry technology that has been about for added than ten
years. (It aboriginal appeared in 1996.)
NOTE This area introduces the NetFlow technology. If you’re already accustomed with this
technology, move on to the section, “NetFlow as a Aegis Tool.”
You can use NetFlow in a advanced ambit of routers and on some high-end switches, such as
the Catalyst 6500, Cisco 7600, Catalyst 4500 with Sup V, and with the advice of a daughter
card on Catalyst 4500 with Sup IV.
An IP breeze is the unidirectional packet beck amid a accustomed antecedent and a given
destination, and it’s characterized by a specific set of parameters. Traditionally, an IP flow
is based on a set of bristles and up to seven IP packet attributes.
Here are the IP packet attributes that NetFlow uses:
• IP antecedent address. Binding attribute; the IP antecedent abode of the packets in the
flow.
• IP destination address. Binding attribute; the IP destination abode of the packets
in the flow.
• Antecedent port. Binding attribute; the Layer 4 antecedent port, such as User Datagram
Protocol (UDP) anchorage or TCP port, if any.
240 Chapter 15: Application Switches to Ascertain a Abstracts Plane DoS
• Destination port. Binding attribute; the Layer 4 destination port, such as UDP or
TCP port, if any.
• Layer 3 agreement type. Binding attribute; the bulk of the Agreement acreage in the IP
header, such as 6 for UDP.
• Blazon of service. Alternative attribute; the bulk of the blazon of account (ToS) byte in the
IP header.
• Router or about-face interface. Alternative attribute; the identifier of the interface or
subinterface, such as a VLAN, on which this breeze is received. It is identical to the
Simple Arrangement Management Agreement (SNMP) interface index.
All packets with the aforementioned source/destination IP address, source/destination ports, protocol,
interface, and ToS are accumulated into a flow, and again the packets and bytes tallied and other
parameters of the breeze are calm (like the IP next-hop router). The set of bristles attributes
that abnormally identifies a breeze is alleged a breeze mask, and the attributes are alleged keys
because they abnormally analyze a flow.
Flow Mask
In Catalyst switches, the breeze affectation (this is the set of key attributes that analyze a flow) can
be set to altered values, such as the following:
• Full. The bristles attributes’ antecedent IP address, destination IP address, protocol, and
protocol ports.
• Antecedent only. A beneath specific breeze mask. Statistics for all flows from a accustomed antecedent IP
address accumulated into a distinct flow.
• Destination only. A beneath specific breeze mask. Statistics for all flows from a given
destination IP abode accumulated into a distinct flow.
• Abounding interface. The best specific breeze mask. Adds the antecedent VLAN interface
identifier to the advice in the abounding breeze mask.
In short, for Catalyst switches, assorted agency abide to accumulated advice of multiple
flows in a distinct flow.
This alignment of fingerprinting or free a breeze is scalable because a large
amount of arrangement advice is abridged into a database of NetFlow information
(known as the NetFlow cache). To be added scalable, flows can be sampled. For example,
only 1 out of 1000 flows are analyzed and advised as a statistical sample for the 1000
flows.
Detecting DoS with NetFlow 241
NetFlow collects and exports assorted versions of the data:
• Adaptation 1. Initial one declared ahead with bristles binding and two optional
attributes.
• Adaptation 5. Enhanced adaptation 1 that adds Border Gateway Agreement (BGP)
autonomous arrangement advice and breeze arrangement numbers.
• Adaptation 7. Adds NetFlow abutment for Cisco Catalyst 5000 Series switches equipped
with a NetFlow affection card. This adaptation additionally adds the multilayer about-face affection card
(MSFC) abode into a NetFlow field.
• Adaptation 8. Router-based accession that allows accumulation advice about
multiple flows that allotment a accepted bulk for one or several flow-mask attributes, such
as the aforementioned ToS bulk or the aforementioned prefix for the antecedent or destination IP address. The
main cold is to abate the bulk of exported data.
• Adaptation 9. New adjustable and adaptable adaptation connected by the Internet
Engineering Task Force (IETF) as RFC 39542. Adaptation 9 is additionally the alone NetFlow
version that supports MAC addresses. Adaptation 9 additionally adds several new information
about flows, such as Multiprotocol Label Switching (MPLS) information.
Versions 2 to 4 were never released. Table 15-1 enumerates the altered NetFlow versions
and the capital advice calm by the versions. Adaptation 8 does not aggregate more
information than adaptation 5; it alone aggregates assorted flows into a distinct flow. Therefore,
in Table 15-1, no cavalcade exists for adaptation 8. Adaptation 9 includes abounding attributes not listed
in Table 15-1, such as IPv6 addresses, packet lengths, and so on.
Table 15-1 Advice Calm by Altered NetFlow Versions
Field Adaptation 1 Adaptation 5
Version 5
Catalyst 6500
Full Flow
Version 7
Catalyst 6500
Full Breeze Adaptation 9
Source and
Destination IP
Addresses
Y Y Y Y Y
Source and
Destination
TCP/UDP Port
Y Y Y Y Y
Next-Hop
Router IP
Address
Y Y Y Y Y
Input Physical
Interface Index
Y Y Y Y Y
Output Physical
Interface Index
Y Y Y Y Y
continues
242 Chapter 15: Application Switches to Ascertain a Abstracts Plane DoS
One important admonition of NetFlow in the Sup2 and Sup720 on Catalyst 6500 is that the TCP
flags are not collected. This hinders the calm data’s usefulness.
Only NetFlow adaptation 9 can aggregate and consign the antecedent and destination MAC addresses;
this is alternative based on the exact accouterments platform. The MAC addresses are advantageous in a
Field Adaptation 1 Adaptation 5
Version 5
Catalyst 6500
Full Flow
Version 7
Catalyst 6500
Full Breeze Adaptation 9
Packet Count
for This Flow
Y Y Y Y Y
Byte Count for
This Flow
Y Y Y Y Y
Start of Flow
Timestamp
Y Y Y Y Y
End of Flow
Timestamp
Y Y Y Y Y
IP Agreement Y Y Y Y Y
ToS Byte Y Y PFC3b Alone PFC3b Alone Y
TCP Flags
(Cumulative or
of TCP Flags)
N Y N N Y
Source
Autonomous
System Number
(From BGP)
N Y Y Y Y
Destination
Autonomous
System Number
(From BGP)
N Y Y Y Y
Source Prefix
Mask (From
BGP)
N Y N N Y
Destination
Prefix Mask
(From BGP)
N Y N N Y
Source and
Destination
MAC
Addresses
N N N N Y
Table 15-1 Advice Calm by Altered NetFlow Versions (Continued)
Detecting DoS with NetFlow 243
LAN ambiance because they analyze the upstream and after nodes of the flow;
in a WAN environment, the interface identifier is acceptable to analyze the upstream and
downstream nodes. To trace aback to the antecedent of a DoS attack, it is binding to identify
the upstream node; this agency NetFlow 9 is appropriate if the DoS advance passes through a
switch.
Figure 15-1 shows the accepted NetFlow architecture, which consists of a three-tier bureaucracy for
scalability:
• NetFlow Exporter. The absolute router or about-face accession the NetFlow abstracts and
exporting this abstracts to the NetFlow collector
• NetFlow Collector. An accession and alliance point as able-bodied as persistent
storage
• NetFlow Application. An appliance application the calm NetFlow abstracts to display
network utilization, accomplish announcement information, or ascertain DoS or bastard activities
Figure 15-1 NetFlow Collection Architecture
NetFlow operates by architecture a NetFlow accumulation that contains the advice for all active
flows. The NetFlow accumulation maintains a breeze almanac for all alive flows. Each breeze almanac in
the NetFlow accumulation contains key fields that can be acclimated after to consign abstracts to the NetFlow
collector. Each breeze almanac is created by anecdotic packets with agnate flow
characteristics and counting or tracking the packets and bytes per flow. The breeze capacity or
cache advice is periodically exported to a flow-collector server based aloft flow
timers. The beneficiary contains a history of breeze advice that was switched aural the
Cisco device. NetFlow is efficient—the bulk of consign abstracts is about 1.5 percent of the
traffic activity through the router.
Network
Planning
Accounting
Billing
NetFlow Applications:
• Abstracts Processing
• Abstracts Presentation
NetFlow Collectors:
• Collection
• Filtering
• Aggregation
• Storage
NetFlow
Exporters
(Routers and
Switches):
• Accumulation Creation
• Abstracts Export
• Aggregation
TCP
UDP
ICMP
Others
244 Chapter 15: Application Switches to Ascertain a Abstracts Plane DoS
Rules for expiring NetFlow accumulation entries accommodate the following:
• Flows that accept been abandoned for a defined time are asleep and removed from the cache.
• Abiding flows are asleep and removed from the cache. (By default, flows are not
allowed to break in the accumulation for added than 30 minutes; the basal packet
conversation charcoal undisturbed.) This cessation allows the collectors to have
recent and authentic abstracts of all flows rather than cat-and-mouse potentially several hours (or
even days) afore accession advice about a abiding flow.
• TCP access that accept accomplished the end of a byte beck (FIN) or accept been reset
(RST) are expired.
Expired flows are accumulated calm into NetFlow consign datagrams for consign from the
NetFlow-enabled device. NetFlow consign datagrams ability abide of up to 30 breeze records
for adaptation 5 breeze consign and are beatific over UDP.
As ahead mentioned, to scale, the NetFlow accumulation can either accommodate an access for all IP
flows, or it can body a sample of IP flows. Altered techniques abide to sample flows: One
packet is sampled every 1000 packets, or there is a anticipation of 1/1000 to sample the next
packet. The statistical differences amid sampling methods are above the ambit of this
book, and they are not accordant for the use case of audition a DoS advance or a worm
propagating in the network.
Flexible NetFlow
In the Cisco IOS router, a newer adaptation of NetFlow, alleged Adjustable NetFlow, exists. As its
name implies, this adaptation adds added adaptability and information. At the time of autograph this
book, Adjustable NetFlow was accessible alone on Cisco IOS routers (not on switches);
therefore, all examples of NetFlow acclimated for aegis chronicle to the accepted accomplishing of
NetFlow on switches.
Expect that the use of Adjustable NetFlow for aegis will be commensurable to the use of
previous versions.