Table Of Contents
Detecting and Analyzing Network Threats With NetFlow
Prerequisites for Detecting and Analyzing Network Threats With NetFlow
Information About Detecting and Analyzing Network Threats With NetFlow
NetFlow Layer 2 and Security Monitoring
Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports
Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports
Comparison of the NetFlow Dynamic Top Talkers CLI and NetFlow Top Talkers Features
Filtering and Sampling of NetFlow Traffic
NetFlow Input Filters: Flow Classification
Random Sampled NetFlow: Sampling Mode
Random Sampled NetFlow: The NetFlow Sampler Map
How to Configure and Use NetFlow to Detect and Analyze Network Threats
Configuring NetFlow Layer 2 and Security Monitoring Exports
Verifying NetFlow Layer 2 and Security Monitoring Exports
Using NetFlow Dynamic Top Talkers CLI to Display the Protocol Distribution
Configuring NetFlow Top Talkers to Monitor Network Threats
Monitoring and Analyzing the NetFlow Top Talkers Flows
Configuring NetFlow Filtering and Sampling
Verify NetFlow Filtering and Sampling
Monitoring and Analyzing the Sampled and Filtered NetFlow Top Talkers Flows
Configuration Examples for Detecting and Analyzing Network Threats With NetFlow
Analyze an FTP DoS Attack Using the show ip cache verbose flow command: Example
Analyze an FTP DoS Attack Using NetFlow Dynamic Top Talkers CLI: Example
Analyze an ICMP Ping DoS Attack Using the show ip cache verbose flow command: Example
Analyze an ICMP Ping DoS Attack Using NetFlow Dynamic Top Talkers CLI: Example
Configure NetFlow Filtering and Sampling: Example
Feature Information for Detecting and Analyzing Network Threats With NetFlow
Detecting and Analyzing Network Threats With NetFlow
First Published: June 19, 2006Last Updated: October 02, 2009This document contains information about and instructions for detecting and analyzing network threats such as denial of service attacks (DoS) through the use of the following NetFlow features:
•
NetFlow Layer 2 and Security Monitoring Exports—This feature improves your ability to detect and analyze network threats such as denial of service attacks (DoS) by adding 9 fields that NetFlow can capture the values from.A few examples are:
–
–
–
•
–
–
–
–
•
•
•
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Detecting and Analyzing Network Threats With NetFlow" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
Prerequisites for Detecting and Analyzing Network Threats With NetFlow
Before you can use NetFlow for detecting and analyzing network threats you need to understand NetFlow and how to configure your router to capture IP traffic status and statistics using NetFlow. See the Cisco IOS NetFlow Overview and Configuring NetFlow and NetFlow Data Export modules for more details.
NetFlow and Cisco Express Forwarding (CEF) or distributed CEF (dCEF) must be configured on your system before you enable NetFlow.
Information About Detecting and Analyzing Network Threats With NetFlow
To detect and analyze network threats with NetFlow, you should understand the following concepts:
•
•
NetFlow Layer 2 and Security Monitoring
The Layer 3 and Layer 2 fields supported by the NetFlow Layer 2 and Security Monitoring Exports feature increase the amount of information that can be obtained by NetFlow about the traffic in your network. You can use this new information for applications such as traffic engineering and usage-based billing.
The Layer 3 IP header fields that the NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:
•
•
•
•
•
See the Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports section for more information on these Layer 3 fields.
The Layer 2 fields that NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:
•
•
•
•
•
See the Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports section for more information on these Layer 2 fields.
The Layer 3 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature improve NetFlow's capabilities for identifying DoS attacks. The Layer 2 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature can help you identify the path that the DoS attack is taking through the network.
The Layer 3 and Layer 2 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature are not key fields. They provide additional information about the traffic in an existing flow. Changes in the values of NetFlow key fields such as the source IP address from one packet to the next packet result in the creation of a new flow. For example if the first packet captured by NetFlow has a source IP address of 10.34.0.2 and the second packet captured by NetFlow has a source IP of 172.16.213.65, NetFlow will create two separate flows.
Many DoS attacks consist of an attacker sending the same type of IP datagram over and over again in an attempt to overwhelm the target systems. In such cases the incoming traffic often has similar characteristics such as the same values in each datagram for one or more of the fields that the NetFlow Layer 2 and Security Monitoring Exports feature can capture.
There is no easy way to identify the originator of many DoS attacks because the IP source address of the device sending the traffic is usually forged. However by capturing the MAC address and VLAN-ID fields using the NetFlow Layer 2 and Security Monitoring Exports feature, you can easily trace the traffic back through the network to the router that it is arriving on. If the router that the traffic is arriving on supports NetFlow, you can configure the NetFlow Layer 2 and Security Monitoring Exports feature on it to identify the interface where the traffic is arriving. Figure 1 shows an example of an attack in progress.
Figure 1 DoS Attack Arriving over the Internet
Note
Once you have concluded that a DoS attack is taking place by analyzing the Layer 3 fields in the NetFlow flows, you can analyze the Layer 2 fields in the flows to discover the path that the DoS attack is taking through the network.
An analysis of the data captured by the NetFlow Layer 2 and Security Monitoring Exports feature for the scenario shown in Figure 1 indicates that the DoS attack is arriving on Router C because the upstream MAC address is from the interface that connects Router C to Switch A. It is also evident that there are no routers between the target host (the email server) and the NetFlow router because the destination MAC address of the DoS traffic that the NetFlow router is forwarding to the email server is the MAC address of the email server.
You can find out the MAC address that Host C is using to send the traffic to Router C by configuring the NetFlow Layer 2 and Security Monitoring Exports feature on Router C. The source MAC address will be from Host C. The destination MAC address will be for the interface on the NetFlow router.
Once you know the MAC address that Host C is using and the interface on Router C that Host C's DoS attack is arriving on, you can mitigate the attack by reconfiguring Router C to block Host C's traffic. If Host C is on a dedicated interface you can disable the interface. If Host C is using an interface that carries traffic from other users, you must configure your firewall, or add an ACL, to block Host C's traffic but still allow the traffic from the other users to flow through Router C.
The Configuration Examples for Detecting and Analyzing Network Threats With NetFlow section has two examples for using the NetFlow Layer 2 and Security Monitoring Exports feature to identify an attack in progress and the path that the attack is taking through a network.
Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports
The NetFlow Layer 2 and Security Monitoring Exports feature has support for capturing five fields from Layer 3 IP traffic in a flow:
•
•
•
•
•
Figure 2 shows the fields in an IP packet header. Figure 3 shows the fields in an ICMP datagram. ICMP datagrams are carried in the data area of an IP datagram, after the IP header.
Figure 2 IP Packet Header Fields
Figure 3 ICMP Datagram
Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports
The NetFlow Layer 2 and Security Monitoring Exports feature has the ability to capture the values of the MAC address and VLAN ID fields from flows. The two supported VLAN types are 802.1q and Cisco's Inter-Switch Link (ISL).
•
•
Understanding Layer 2 MAC Address Fields
The new Layer 2 fields that the NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:
•
•
•
•
The Ethernet Type II and Ethernet 802.3 frame formats are shown in Figure 4. The destination address field and the source address field in the frame formats are the MAC addresses whose values NetFlow captures. The fields for the Ethernet frame formats are explained in Table 3.
Figure 4 Ethernet Type II and 802.3 Frame Formats
Understanding Layer 2 VLAN ID Fields
NetFlow can capture the value in the VLAN ID field for 802.1q tagged VLANs and Cisco ISL encapsulated VLANs. The section describes the two types of VLANs.
Note
•
Understanding 802.1q VLANs
Devices that use 802.1q insert a four-byte tag into the original frame before it is transmitted. Figure 5 shows the format of an 802.1q tagged Ethernet frame. The fields for 802.1q VLANs are described in Table 4.
Figure 5 802.1q Tagged Ethernet Type II or 802.3 Frame
Table 4 802.1q VLAN Encapsulation Fields
DA, SA, Type or Length, Data, and FCS
These fields are described in Table 3.
Tag Protocol ID (TPID)
This 16-bit field is set to a value of 0x8100 to identify the frame as an IEEE 802.1q tagged frame.
Priority
Also known as user priority, this 3-bit field refers to the 802.1p priority. It indicates the frame priority level which can be used for prioritizing traffic and is capable of representing 8 levels (0-7).
Tag Control Information
The 2-byte Tag Control Information field is comprised of two sub-fields:
•
•
Understanding Cisco ISL VLANs
ISL is a Cisco proprietary protocol for encapsulating frames on a VLAN trunk. Devices that use ISL add an ISL header to the frame. This process is known as VLAN encapsulation. 802.1Q is the IEEE standard for tagging frames on a VLAN trunk. Figure 6 shows the format of a Cisco ISL-encapsulated Ethernet frame. The fields for 802.1q VLANs are described in Table 5.
Figure 6 Cisco ISL Tagged Ethernet Frame
NetFlow Top Talkers
The usual implementation of NetFlow exports NetFlow data to a collector. The NetFlow Top Talkers features can be used for security monitoring or accounting purposes for top talkers, and matching and identifying key traffic in your network. These features are also useful for a network location where a traditional NetFlow export operation is not possible. The NetFlow Top Talkers features do not require a collector to obtain information regarding flows. Instead, the NetFlow data is displayed on the router when the NetFlow Dynamic Top Talkers CLI show ip flow top command, or the NetFlow Top Talkers show ip flow top-talkers is used.
Comparison of the NetFlow Dynamic Top Talkers CLI and NetFlow Top Talkers Features
There are two very similar NetFlow features that can be used for monitoring the highest volume traffic in your network. The feature names are:
•
NetFlow Dynamic Top Talkers CLI
This feature was introduced in 12.4(4)T. The NetFlow Dynamic Top Talkers CLI feature is used to obtain an overview of the highest volume traffic (top talkers) in your network. It provides an overview of the traffic by aggregating the flows in the cache based on the aggregation field that you select when you use the NetFlow Dynamic Top Talkers CLI feature.
The NetFlow Dynamic Top Talkers CLI feature does not require modifications to the configuration of the router. The show ip flow top command is the only command that you need to use for the NetFlow Dynamic Top Talkers CLI feature. You can invoke any of the NetFlow Dynamic Top Talkers CLI options directly from the show ip flow top command whenever you need them.
Note
The NetFlow Dynamic Top Talkers CLI feature aggregates flows and allows them to be sorted so that they can be viewed. The flows can be aggregated on fields in the cache such as source or destination IP address, ICMP type and code values, and so forth. For a full list of the fields that you can aggregate the flows on, refer to the show ip flow top command in the Cisco IOS NetFlow command reference documentation.
The aggregated top talker flows can be sorted by any of the following criteria:
•
•
•
•
•
In addition to sorting top talkers, you can further organize your output by specifying criteria that the top talkers must match, such as source or destination IP address or port. The match keyword is used to specify this criterion. For a full list of the matching criterion that you can select, refer to the show ip flow top command in the Cisco IOS NetFlow command reference documentation.
The NetFlow Dynamic Top Talkers CLI feature can help you quickly identify traffic that is associated with security threats such as DoS attacks because it does not require configuration modifications. You can change the NetFlow Dynamic Top Talkers CLI options for identifying and analyzing network threats in the aggregated flows on-the-fly as you learn more about the traffic that is of interest. For example, after you have identified that there is a lot of ICMP traffic in your network by using the show ip flow top 10 aggregate icmp command you can learn what IP networks the traffic is being sent to by using the show ip flow top 10 aggregate icmp match destination-prefix 172.0.0.0/8 command.
Note
The show ip flow top command:
•
•
•
•
–
–
–
–
show ip flow top and show ip cache verbose flow
Many of the values shown in the display output of the show ip cache verbose flow command are in hexadecimal. If you want to match these values using the show ip flow top command with the match keyword, you must enter the field value that you want to match in hexadecimal. For example, to match on the destination port of 00DC in the following except from the show ip cache verbose flow command, you would use the match destination-port 0x00DC keywords and argument for the show ip flow top command.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 00 00 20900DC /0 0 00DC /0 0 0.0.0.0 40 281.4MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Match Criteria with the show ip flow top command
You can limit the top talkers that are displayed by the show ip flow top command by using the match keyword and arguments. For example, you can display the IP destination address top talkers that have a prefix of 224.0.0.0 using the show ip flow top 10 aggregate destination-address match destination-prefix 224.0.0.0/3 command.
For a full list of the matching criterion that you can select, refer to the show ip flow top command in the Cisco IOS NetFlow Command Reference. If you do not configure match criteria all of the flows are considered as candidates for aggregation as top talkers based on the volume of traffic they represent.
The Order That Aggregation Occurs in
With the exception of the flows keyword, all matches are performed prior to aggregation, and only matching flows are aggregated. For example, the show ip flow top 5 aggregate destination-address match destination-prefix 172.16.0.0/16 command analyzes all of the available flows looking for any flows that have destination addresses that match the destination-prefix value of 172.16.0.0/16. If it finds any matches it aggregates them, and then displays the number of aggregated destination-address flows that is equal to the number of top talkers that were requested in the command-in this case five.
The flows keyword matches the number of aggregated flows post-aggregation. For example, the show ip flow top 2 aggregate destination-address match 6 command aggregates all of the flows on the values in their destination IP address field, and then displays the top talkers that have 6 aggregated flows.
Number of Flows Matched
If you do not specify match criteria and there is traffic in the flows that includes the field that you used to aggregate the flows on, all of the flows will match. For example, if your router has 20 flows with IP traffic and you enter the show ip flow top 10 aggregate destination-address command the display will indicate that 20 of 20 flows matched, and the 10 top talkers will be displayed.
If you use the match keyword to limit the flows that are aggregated to the flows with a destination prefix of 224.0.0.0/3, and only one flow matches this criterion the output will indicate that one out of six flows matched. For example, if your router has 6 flows with IP traffic, but only one of them has a destination prefix of 224.0.0.0/3, and you enter the show ip flow top 10 aggregate destination-address match destination-prefix 224.0.0.0/3 command, the display will indicate that 1 of 6 flows matched.
If the total number of top talkers is less than the number of top talkers that were requested in the command, the total number of top talkers is displayed. For example, if you enter a value of five for the number of top talkers to display and there are only three top talkers that match the criteria that you used, the display will only include three top talkers.
When a match criterion is included with the show ip flow top command, the display output will indicate "N of M flows matched" where N <= M, N = matched flows, and M = total flows seen. The numbers of flows seen could potentially be more than the total number of flows in the cache if some of the analyzed flows were removed from the cache and new flows were created ahead of the current point, as the top talkers feature sweeps through the cache. Therefore, M is NOT the total number of flows in the cache, but rather, the number of observed flows.
If you attempt to display the top talkers by aggregating them on a field that is not in the cache you will see the "% aggregation-field" is not available for this cache" message. For example, if you use the show ip flow top 5 aggregate source-vlan command, and you have not enabled the capture of VLAN IDs from the flows, you will see the "% VLAN id is not available for this cache" message.
NetFlow Top Talkers
This feature was introduced in 12.3(11)T. NetFlow Top Talkers is used to obtain information about individual flows in the cache. It does not aggregate the flows like the NetFlow Dynamic Top Talkers CLI feature.
The NetFlow Top Talkers feature compares all of the flows and displays information about each of the flows that have the heaviest traffic volumes (top talkers). The show ip flow top-talkers command requires you to pre-configure the router using the NetFlow Top Talkers configuration commands:
•
•
–
–
•
•
For a full list of the matching criterion that you can select, refer to the ip flow top-talkers command in the Cisco IOS NetFlow Command Reference. If you do not configure match criteria all of the flows are considered as candidates as top talkers based on the volume of traffic they represent.
•
For more information on the NetFlow Top Talkers feature, refer to Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands.
Filtering and Sampling of NetFlow Traffic
NetFlow provides highly granular per-flow traffic statistics in a Cisco router. A flow is a unidirectional stream of packets that arrive at the router on the same subinterface, have the same source and destination IP addresses, Layer 4 protocol, TCP/UDP source and destination ports, and the same ToS (type of service) byte in the IP headers. The router accumulates NetFlow statistics in a NetFlow cache and can export them to an external device (such as the Cisco Networking Services (CNS) NetFlow Collection Engine) for further processing.
Full NetFlow accounts for all traffic entering the subinterface on which it is enabled. But in some cases, you might gather NetFlow data on only a subset of this traffic. The Random Sampled NetFlow feature and the NetFlow Input Filters feature each provide ways to limit incoming traffic to only traffic of interest for NetFlow processing. Random Sampled NetFlow provides NetFlow data for a subset of traffic in a Cisco router by processing only one randomly selected packet out of n sequential packets. The NetFlow Input Filters feature provides the capability to gather NetFlow data on only a specific user-defined subset of traffic.
Note
Note
Table 6 compares the NetFlow Input Filters feature and the NetFlow Random Sampled feature.
NetFlow Input Filters: Flow Classification
For the NetFlow Input Filters feature, classification of packets can be based on any of the following: IP source and destination addresses, Layer 4 protocol and port numbers, incoming interface, MAC address, IP Precedence, DSCP value, Layer 2 information (such as Frame-Relay DE bits or Ethernet 802.1p bits), and Network-Based Application Recognition (NBAR) information. The packets are classified (filtered) on the above criteria, and flow accounting is applied to them on subinterfaces.
The filtering mechanism uses the Modular QoS Command-Line Interface (MQC) to classify flows. You can create multiple filters with matching samplers on a per-subinterface basis. For example, you can subdivide subinterface traffic into multiple classes based on type of service (ToS) values or destination prefixes (or both). For each class, you can also configure sampling at a different rate, using higher rates for higher-priority classes of traffic and lower rates for lower-priority ones.
MQC has many policies (actions) such as bandwidth rate and queuing management. These policies are applied only if a packet matches a criterion in a class map that is applied to the subinterface. A class map contains a set of match clauses and instructions on how to evaluate the clauses and acts as a filter for the policies, which are applied only if a packet's content satisfies the match clause. The NetFlow Input Filters feature adds NetFlow accounting to the MQC infrastructure, which means that flow accounting is done on a packet only if it satisfies the match clauses.
Two types of filter are available:
•
•
For more information on Modular QoS Command-Line Interface (MQC) refer to the Cisco IOS Quality of Service Solutions Configuration Guide.
Random Sampled NetFlow: Sampling Mode
Sampling mode makes use of an algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode that the Random Sampled NetFlow feature uses, incoming packets are randomly selected on average one out of each n sequential packets is selected for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th packet and then the 120th, 230th, 302nd, and so on. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter that you can configure from 1 to 65535 packets.
Random Sampled NetFlow: The NetFlow Sampler Map
Random Sampled NetFlow is useful if you have too much traffic and you want to limit the traffic that is analyzed. A NetFlow sampler map is created with the flow-sampler-map sampler-map-name command. The sampling mode for the sampler map is configured with the mode random one-out-of sampling-rate command. The range of values for the sampling-rate argument is 1 to 65535. Each NetFlow sampler map can be applied to one or many subinterfaces as well as physical interfaces. The sampler map is applied to an interface or subinterface with the flow-sampler sampler-map-name command. You can define up to eight NetFlow sampler maps.
How to Configure and Use NetFlow to Detect and Analyze Network Threats
Using NetFlow to detect and analyze network threats requires a combination of configuration commands and show commands. You start by configuring the NetFlow Layer 2 and Security Monitoring Exports feature to capture values of the additional non-key fields from the flows so that they can be displayed in the cache by the NetFlow show commands. Capturing the values in the additional non-key fields is required so that you can identify the path the traffic is taking through the network and other characteristics of the traffic such as TTL values and packet length values.
After you configure the NetFlow Layer 2 and Security Monitoring Exports feature, you use the NetFlow Dynamic Top Talkers CLI command to obtain an overview of the traffic flows the router is forwarding. The overview displays information such as the protocol distribution in the flows, the source ip addresses that are sending the flows, and the networks the flows are being sent to.
After you identify the type of flows that you want to focus, on such as ICMP traffic, and other characteristics such as source IP addresses and destination network prefixes, you use the NetFlow Top Talkers feature to obtain more focused and detailed information on the individual flows. The NetFlow Top Talkers feature is configured with match criteria that focuses it on the types of traffic that you have identified. If your router is keeping track of several flows and you are only interested in analyzing a subset of them you, can configure NetFlow Input Filters to limit the flows that NetFlow is tracking.
Prerequisites
CEF or dCEF must be configured globally, and on the interface that you want to run NetFlow on, before you configure NetFlow Layer 2 and Security Monitoring Exports.
You must have NetFlow enabled on at least one interface in the router before you configure NetFlow Layer 2 and Security Monitoring Exports.
If you want to capture the values of the Layer 3 IP fragment offset field from the IP headers in your IP traffic using the ip flow-capture fragment-offset command, your router must be running Cisco IOS 12.4(2)T or later.
This section contains the following procedures:
•
•
•
•
•
•
•
•
Configuring NetFlow Layer 2 and Security Monitoring Exports
Perform the following task to configure the NetFlow Layer 2 and Security Monitoring Exports feature.
Prerequisites
To export the data captured with the NetFlow Layer 2 and Security Monitoring feature, you must configure NetFlow to use the NetFlow Version 9 data export format.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
and/or
ip flow egress12.
DETAILED STEPS
Verifying NetFlow Layer 2 and Security Monitoring Exports
This task verifies that NetFlow Layer 2 and Security Monitoring Exports is configured correctly. The show ip cache verbose flow command gives a detailed view of the status and statistics for flows in the NetFlow main cache. The values for the NetFlow non-key fields that you have configured with the NetFlow Layer 2 and Security Monitoring Exports feature are included for each flow.
To see the values of the fields that you have configured the NetFlow Layer 2 and Security Monitoring Exports feature to capture, your router must be forwarding IP traffic that meets the criteria for these fields. For example, if you configure the ip flow-capture vlan-id command, your router must be forwarding IP datagrams over interfaces that are configured as VLAN trunks to capture the VLAN-ID values from the layer-two frames carrying the IP datagrams in the flow.
Restrictions
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running dCEF, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.
Cisco 7500 Series Platform
To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands:
Router# if-con slot-numberLC-slot-number# show ip cache verbose flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flowCisco 12000 Series Platform
To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:
Router# attach slot-numberLC-slot-number# show ip cache verbose flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flow
To verify the configuration of NetFlow Layer 2 and Security Monitoring Exports use the following step.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
This example shows that NetFlow Layer 2 and Security Monitoring Exports is working properly because the values have been captured from the non-key Layer 3 and Layer 2 fields in the flows. The values captured in the flows are shown in bold text.
Router# show ip cache verbose flowIP packet size distribution (33978 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.856 .143 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes14 active, 4082 inactive, 59 added12452 ager polls, 0 flow alloc failuresActive flows timeout in 10 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25736 bytes28 active, 996 inactive, 148 added, 59 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-SMTP 2 0.0 1730 40 3.6 600.7 0.2UDP-other 31 0.0 1 54 0.0 3.6 16.8ICMP 12 0.0 1728 28 22.0 600.1 0.1Total: 45 0.0 538 29 25.7 189.2 11.6SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk Active...Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 10 6960000 /0 0 0C01 /0 0 0.0.0.0 28 241.4MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0
Using NetFlow Dynamic Top Talkers CLI to Display the Protocol Distribution
You can obtain a quick overview of the traffic in your network by viewing the protocol distribution. Use this task to display the top talkers (aggregated flows) for these three IPv4 protocol types:
•
•
•
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
The following example looks for up to three top talkers, aggregates them on the protocol field, sorts them by packets, and displays the output in descending order:
Router# show ip flow top 3 aggregate protocol sorted-by packets descendingThere are 3 top talkers:IPV4 PROT bytes pkts flows========= ========== ========== ==========1 406196 14507 126 96560 2414 217 52 1 115 of 15 flows matched.Table 7 describes the significant fields shown in the display output.
All 15 flows in the router are aggregated into three top talkers. In this example all of the flow traffic is top talker traffic.
The majority of the traffic is ICMP traffic (IP protocol type 1). This might indicate an ICMP DoS attack is in progress.
Using NetFlow Dynamic Top Talkers CLI to Display the Source IP Address Top Talkers Sending ICMP Traffic
The display output from the show ip flow top 10 aggregate protocol sorted-by packets descending used in Using NetFlow Dynamic Top Talkers CLI to Display the Protocol Distribution section indicates that there is a possible ICMP-based DoS attack in progress. The next step to take is to identify the flows that are sending the ICMP traffic. In this case the flows will be aggregated on the source IP addresses.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
The following command looks for up to 20 top talkers, aggregates them on the source IP address, sorts them by packets, and matches on the protocol icmp:
Router# show ip flow top 20 aggregate source-address sorted-by packets match protocol icmpThere are 6 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.132.221.111 90440 3230 110.10.12.1 90440 3230 110.251.138.218 90440 3230 110.71.200.138 90384 3228 110.231.185.254 90384 3228 110.106.1.1 90356 3227 16 of 15 flows matched.RouterTable 8 describes the significant fields shown in the display.
The ICMP traffic is aggregated into six top talkers (source IP addresses). Each top talker has one flow. No aggregation is performed on this traffic because there is a 1-to-1 correlation of IP source addresses and flows.
Using NetFlow Dynamic Top Talkers CLI to Display the Destination IP Address Top Talkers Receiving ICMP Traffic
The display output from the show ip flow top 5 aggregate source-address sorted-by packets match protocol icmp command used in Using NetFlow Dynamic Top Talkers CLI to Display the Source IP Address Top Talkers Sending ICMP Traffic section showed the six top talkers (IP source addresses) that are sending the 12 ICMP traffic flows. The next step to take is to identify the flows that are the target of the ICMP traffic. In this case the flows will be aggregated on the destination IP addresses.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
The following command looks for up to 20 top talkers, aggregates them on the destination IP address, sorts them by packets, and matches on the protocol icmp
Router# show ip flow top 20 aggregate destination-address sorted-by packets match protocol icmpThere is 1 top talker:IPV4 DST-ADDR bytes pkts flows=============== ========== ========== ==========172.16.10.2 407456 14552 66 of 14 flows matched.RouterTable 9 describes the significant fields shown in the display.
The previous task identified six ICMP top talkers based on source IP addresses that each had one flow. This task identified that there is one ICMP top talker based on destination IP addresses that is the target for 6 individual flows. There is a 1-to-1 correlation between the number of ICMP flows in the top talkers aggregated on the source IP address and the number of ICMP flows in the top talkers aggregated on the destination IP address. There is a high probability that an ICMP-based DoS attack on the host with the IP address of 172.16.10.2 is in progress.
Configuring NetFlow Top Talkers to Monitor Network Threats
The previous task (Using NetFlow Dynamic Top Talkers CLI to Display the Destination IP Address Top Talkers Receiving ICMP Traffic) identified a probable ICMP-based DoS attack on the host with the IP address 172.16.10.2. This task uses the NetFlow Top Talkers feature to configure the router to monitor the DoS attack by tracking the individual ICMP flows. After you have configured the NetFlow Top Talkers feature to focus on the DoS attack traffic, you can use the show ip flow top-talkers verbose command to identify the path the DoS traffic is taking through the network.
Perform the following task to configure the NetFlow Top Talkers feature.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Monitoring and Analyzing the NetFlow Top Talkers Flows
To monitor and analyze the NetFlow Top Talkers flows, use the following step.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
The following sample shows details for the six traffic flows that are being sent to the host with IP address 172.16.10.2.
Router# show ip flow top-talkers verboseSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs BytesPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0800 /0 0 0.0.0.0 28 116.3MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0800 /0 0 0.0.0.0 28 116.4MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0C01 /0 0 0.0.0.0 28 116.4MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0C01 /0 0 0.0.0.0 28 116.4MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0C01 /0 0 0.0.0.0 28 116.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 10 94080000 /0 0 0C01 /0 0 0.0.0.0 28 116.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 06 of 50 top talkers shown. 6 of 8 flows matched.
Note
Note
This display output contains the information required for determining the path that the DoS attack traffic is taking through the network. This information will be used to react to the DoS attack by adding security measures such as access-lists to the affected interfaces. Table 10 describes the significant fields in the display from the show ip flow top-talkers verbose command for determining the network path the DoS traffic is taking.
The flows in this example show only the ICMP DoS attack traffic that is destined for the host with IP address 172.16.10.2. These flows were created specifically for documenting this task. In a real network, the host under attack might be communicating with other hosts that are using legitimate applications such as e-mail and web sites. In this case, the Top Talkers match filter on the destination IP address (match destination address 172.16.10.2/32) that was configured in the "Configuring NetFlow Top Talkers to Monitor Network Threats" section will not limit the display of the show ip flow top-talkers command to the ICMP DoS attack traffic.
Note
If you are using the Top Talkers feature to analyze a network threat and you are not able to use the basic match filters to limit the display of the show ip flow top-talkers command to the traffic that you are analyzing, you can use NetFlow filtering and sampling to limit the traffic that shows up in the display of the show ip flow top-talkers command. The process for configuring NetFlow filtering and sampling is explained in the "Configuring NetFlow Filtering and Sampling" section.
Configuring NetFlow Filtering and Sampling
If you use the show ip cache flow command or the show ip cache verbose flow command to display the flows in the cache, you will see the ICMP flows that are selected by NetFlow filtering and sampling on interface Ethernet0/0.1, and flows for all NetFlow supported traffic types on any other interfaces that NetFlow is running on. The show ip flow top-talkers [verbose] command is used to display the flow status and statistics for the traffic type you configured with the match criteria over interfaces to which you applied the service policy. For example, in this case you configured top talkers to match on ICMP traffic sent from any host that is arriving on Ethernet0/0.1 and destined for 172.16.10.2.
In this task the Top Talkers feature is being used more as a flow filter to separate flows of interest from all of the flows the router is seeing, rather than a filter to display the flows with the highest traffic volumes. Top talkers is used in this manner because in this example all of the ICMP DoS attack flows are of interest, not just the flows with the highest volumes. This is why a large value is assigned to the top keyword in the top talkers configuration. Setting the value for the top keyword to 50 when the largest number of ICMP DoS attack flows tracked by the router is 12 ensures that all of the ICMP DoS attack flows will be tracked.
If your router sees a significant number of flows involved in a DoS attack, you might want to set the value for the top keyword to a number that is less than the total number of flows to limit the number of flows that you see in the display when you use the show ip flow top-talkers command. This will ensure that you are seeing the flows that have the highest volume of DoS attack traffic. However, if all of the flows have the same traffic volume, the show ip flow top-talkers command will not be able to differentiate between them. It displays the number of flows that you set the value of the top keyword to, starting from the first flow in the cache.
Perform the following task to configure NetFlow Filtering and sampling.
Restrictions
Restrictions for NetFlow Input Filters
On Cisco 7500 platforms, the NetFlow Input Filters feature is supported only in distributed mode.
Restrictions for Random Sampled NetFlow
If full NetFlow is enabled on an interface, it takes precedence over Random Sampled NetFlow (which will thus have no effect). Disable full NetFlow on an interface before enabling Random Sampled NetFlow on that interface.
Enabling Random Sampled NetFlow on a physical interface does not automatically enable Random Sampled NetFlow on subinterfaces; you must explicitly configure it on subinterfaces. Also, disabling Random Sampled NetFlow on a physical interface (or a subinterface) does not enable full NetFlow. This restriction prevents the transition to full NetFlow from overwhelming the physical interface (or subinterface). If you want full NetFlow, you must explicitly enable it.
You must use NetFlow Version 9 if you want to use sampler option templates or view NetFlow sampler IDs.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
DETAILED STEPS
Verify NetFlow Filtering and Sampling
To verify that filtering and sampling is working properly, use the following step.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Any non-zero value in the display output below indicates that Filtering and sampling is active.
Router# show flow-samplerSampler : icmp-dos-fs-map, id : 1, packets matched : 63226, mode : random sampling modesampling interval is : 2Router
Monitoring and Analyzing the Sampled and Filtered NetFlow Top Talkers Flows
To monitor and analyze the filtered and sampled NetFlow top talkers flows use the following step.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
The following sample output shows the six traffic flows that are being sent to the host with IP address 172.16.10.2.
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 0000 0C01 5460Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 0000 0800 5124Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 0000 0800 5012Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 0000 0C01 4844Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.2 01 0000 0C01 4704Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 0000 0C01 43966 of 50 top talkers shown. 6 of 7 flows matched.Step 2
The following sample output below shows the details for the six traffic flows that are being sent to the host with IP address 172.16.10.2.
Router# show ip flow top-talkers verboseSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs BytesPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 10 28840000 /0 0 0800 /0 0 0.0.0.0 28 64.6Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 10 28280000 /0 0 0800 /0 0 0.0.0.0 28 64.6Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 10 27160000 /0 0 0C01 /0 0 0.0.0.0 28 64.6Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 10 25480000 /0 0 0C01 /0 0 0.0.0.0 28 58.0Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 10 24360000 /0 0 0C01 /0 0 0.0.0.0 28 64.6Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.2 01 00 10 23520000 /0 0 0C01 /0 0 0.0.0.0 28 57.7Sampler: 1 Class: 1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 28 Max plen: 28Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 06 of 50 top talkers shown. 6 of 7 flows matched.
Configuration Examples for Detecting and Analyzing Network Threats With NetFlow
This section provides the following configuration examples:
•
•
•
•
•
Configuring NetFlow Layer 2 and Security Monitoring Exports to Capture Traffic From a Simulated FTP Attack: Example
The following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out whether your network is being attacked by a host that is sending fake FTP traffic in an attempt to overwhelm the FTP server. This attack might cause end users to see a degradation in the ability of the FTP server to accept new connections or to service existing connections.
This example uses the network shown in Figure 7. Host A is sending fake FTP packets to the FTP server.
This example also shows you how to use the Layer 2 data captured by the NetFlow Layer 2 and Security Monitoring Exports feature to learn where the traffic is originating and what path it is taking through the network.
Figure 7 Test Network
Tip
Note
R2
!hostname R2!interface Ethernet0/0mac-address aaaa.bbbb.cc02ip address 172.16.1.2 255.255.255.0!interface Ethernet1/0mac-address aaaa.bbbb.cc03no ip address!interface Ethernet1/0.1encapsulation dot1Q 5ip address 172.16.6.1 255.255.255.0!!router ripversion 2network 172.16.0.0no auto-summary!R3
!hostname R3!ip flow-capture fragment-offsetip flow-capture packet-lengthip flow-capture ttlip flow-capture vlan-idip flow-capture ip-idip flow-capture mac-addresses!interface Ethernet0/0mac-address aaaa.bbbb.cc04no ip address!interface Ethernet0/0.1encapsulation dot1Q 5ip address 172.16.6.2 255.255.255.0ip accounting output-packetsip flow ingress!interface Ethernet1/0mac-address aaaa.bbbb.cc05no ip address!interface Ethernet1/0.1encapsulation dot1Q 6ip address 172.16.7.1 255.255.255.0ip accounting output-packetsip flow egress!router ripversion 2network 172.16.0.0no auto-summary!R4
!hostname R4!interface Ethernet0/0mac-address aaaa.bbbb.cc07ip address 172.16.10.1 255.255.255.0!interface Ethernet1/0mac-address aaaa.bbbb.cc06no ip address!interface Ethernet1/0.1encapsulation dot1Q 6ip address 172.16.7.2 255.255.255.0!router ripversion 2network 172.16.0.0no auto-summary!Analyze an FTP DoS Attack Using the show ip cache verbose flow command: Example
The show ip cache verbose flow command displays the NetFlow flows. You can use this display output to identify the path that the FTP traffic from Host A is taking as it is received and transmitted by R3.
Note
Tip
R3# show ip cache verbose flowIP packet size distribution (189118 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.043 .610 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .173 .000 .173 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes25 active, 4071 inactive, 615 added263794 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25736 bytes50 active, 974 inactive, 1648 added, 615 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-FTP 12 0.0 895 40 0.9 1363.8 5.5TCP-FTPD 12 0.0 895 40 0.9 1363.8 5.6Total: 590 0.0 317 383 16.1 430.1 12.4Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 00 00 630015 /0 0 0015 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 00 00 630014 /0 0 0014 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 00 00 640015 /0 0 0015 /0 0 0.0.0.0 40 96.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 00 00 640014 /0 0 0014 /0 0 0.0.0.0 40 96.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 06 00 00 630015 /0 0 0015 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 06 00 00 630014 /0 0 0014 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 06 00 00 630015 /0 0 0015 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 06 00 00 630014 /0 0 0014 /0 0 0.0.0.0 40 94.5MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 40 Max plen: 40Min TTL: 59 Max TTL: 59IP id: 0There are 8 FTP flows shown in the output. You can use the Layer 2 information in the flows that is captured by the ip flow-capture command to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can demonstrate that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4, because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.
Note
You can use this information to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks all FTP traffic from the source IP addresses that Host A is spoofing and applying it Ethernet 0/0 on R2.
Analyze an FTP DoS Attack Using NetFlow Dynamic Top Talkers CLI: Example
You can use the NetFlow Dynamic Top Talkers CLI feature to quickly identify the FTP top talkers in the network traffic that might be sending the traffic. This will show you the IP source addresses that Host A is using as it sends the DoS attack traffic.
R3# show ip flow top 50 aggregate source-address sorted-by bytes descending match destination-port min 20 max 21There are 5 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.231.185.254 5640 141 210.132.221.111 3680 92 210.10.12.1 3640 91 210.251.138.218 3600 90 210.71.200.138 1880 47 19 of 34 flows matched.
Note
Note
Tip
Tip
After you have identified FTP top talkers traffic you need to identify the source IP addresses of IP traffic that is being sent to the host that you believe is under attack.
R3# show ip flow top 50 aggregate source-address match destination-prefix 172.16.10.2/32There are 6 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.251.138.218 6642 18 410.231.185.254 5068 28 410.132.221.111 14818 25 410.106.1.1 12324 12 210.71.200.138 12564 18 310.10.12.1 560 14 219 of 33 flows matched.
Tip
Note
The final step is to cross reference the source IP addresses of any hosts that are sending any IP traffic to the host under attack with the list of source IP addresses from the FTP top talkers. This is required because the show ip flow top command does not support multiple match criteria. Therefore you cannot limit the top talkers to FTP traffic being sent to a specific host with a single show ip flow top command (match destination-port min 20 max 21 <and> match destination-prefix 172.16.10.2/32).
The host with the IP address of 10.106.1.1 is apparently not involved in this DoS attack because it is not in the display output from the show ip flow top 50 aggregate source-address sorted-by bytes descending match destination-port min 20 max 21 command. This means that it is not sending FTP traffic to the host that is under attack.
Therefore the host IP addressees involved in this FTP DoS attack are likely to be:
•
•
•
•
•
Now that you know the source addresses of the FTP traffic you can configure an extended access list that blocks FTP traffic from these address, and apply it to the interface that is closest to the point the traffic is entering your network.
Note
Configuring NetFlow Layer 2 and Security Monitoring Exports to Capture Traffic From a Simulated ICMP Attack: Example
The following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out that your network is being attacked by ICMP traffic. It uses the network shown in Figure 8. Host A is sending ICMP ping packets to the FTP server.
Figure 8 Test Network
Tip
R2
!hostname R2!interface Ethernet0/0mac-address aaaa.bbbb.cc02ip address 172.16.1.2 255.255.255.0!interface Ethernet1/0mac-address aaaa.bbbb.cc03no ip address!interface Ethernet1/0.1encapsulation dot1Q 5ip address 172.16.6.1 255.255.255.0!!router ripversion 2network 172.16.0.0no auto-summary!R3
!hostname R3!ip flow-capture fragment-offsetip flow-capture packet-lengthip flow-capture ttlip flow-capture vlan-idip flow-capture icmpip flow-capture ip-idip flow-capture mac-addresses!interface Ethernet0/0mac-address aaaa.bbbb.cc04no ip address!interface Ethernet0/0.1encapsulation dot1Q 5ip address 172.16.6.2 255.255.255.0ip accounting output-packetsip flow ingress!interface Ethernet1/0mac-address aaaa.bbbb.cc05no ip address!interface Ethernet1/0.1encapsulation dot1Q 6ip address 172.16.7.1 255.255.255.0ip accounting output-packetsip flow egress!router ripversion 2network 172.16.0.0no auto-summary!R4
!hostname R4!interface Ethernet0/0mac-address aaaa.bbbb.cc07ip address 172.16.10.1 255.255.255.0!interface Ethernet1/0mac-address aaaa.bbbb.cc06no ip address!interface Ethernet1/0.1encapsulation dot1Q 6ip address 172.16.7.2 255.255.255.0!router ripversion 2network 172.16.0.0no auto-summary!Analyze an ICMP Ping DoS Attack Using the show ip cache verbose flow command: Example
The show ip cache verbose flow command displays the NetFlow flows. You can use this display output to identify the path that the ICMP traffic from Host A is taking as it is received and transmitted by R3.
Note
Tip
R3# show ip cache verbose flowIP packet size distribution (122369 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.065 .665 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .134 .000 .134 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes24 active, 4072 inactive, 404 added176657 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25736 bytes48 active, 976 inactive, 1088 added, 404 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowICMP 27 0.0 1131 763 3.9 1557.4 3.6Total: 380 0.0 267 257 13.0 382.8 12.6SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 10 8640000 /0 0 0800 /0 0 0.0.0.0 1500 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.200 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 10 8640000 /0 0 0800 /0 0 0.0.0.0 1500 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 8 ICMP code: 0IP id: 0Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.200 01 00 10 8640000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 10 8640000 /0 0 0C01 /0 0 0.0.0.0 1500 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 10 8640000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 00 8640000 /0 0 0000 /0 0 0.0.0.0 554 1089.9MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 554 Max plen: 554Min TTL: 59 Max TTL: 59ICMP type: 0 ICMP code: 0IP id: 0 FO: 185Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 10 8640000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 59 Max TTL: 59ICMP type: 12 ICMP code: 1IP id: 0There are 12 ICMP flows shown in the output. You can use the Layer 2 information in the flows that is captured by the ip flow-capture command to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can demonstrate that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4, because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.
Note
You can use this information to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks all ICMP traffic from the source IP addresses that Host A is spoofing and applying it Ethernet 0/0 on R2.
Analyze an ICMP Ping DoS Attack Using NetFlow Dynamic Top Talkers CLI: Example
You can use the NetFlow Dynamic Top Talkers CLI feature to quickly identify the ICMP top talkers in the network traffic that might be sending the traffic. This will show you the IP source addresses that Host A is using as it sends the DoS attack traffic.
R3# show ip flow top 50 aggregate icmpThere are 3 top talkers:ICMP TYPE ICMP CODE bytes pkts flows========= ========= ========== ========== ==========12 1 2466000 1644 48 0 1233000 822 20 0 1366164 2466 612 of 25 flows matched.
Note
Tip
After you have identified the ICMP types and code values in the network traffic, you need to determine the source IP addresses for the ICMP traffic that being sent to the FTP server.
R3# show ip flow top 50 aggregate source-address match icmp type 12 code 1There are 4 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.251.138.218 867000 578 110.231.185.254 865500 577 110.71.200.138 865500 577 110.10.12.1 867000 578 14 of 24 flows matched.
Note
Note
R3# show ip flow top 50 aggregate source-address match icmp type 8 code 0There are 2 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.132.221.111 1095000 730 110.106.1.1 1095000 730 12 of 24 flows matched.
Note
Note
R3# show ip flow top 50 aggregate source-address match icmp type 0 code 0There are 6 top talkers:IPV4 SRC-ADDR bytes pkts flows=============== ========== ========== ==========10.251.138.218 416608 752 110.231.185.254 416608 752 110.132.221.111 416608 752 110.106.1.1 416608 752 110.71.200.138 416608 752 110.10.12.1 416608 752 16 of 24 flows matched.
Note
Note
The next step is to create a list of the source IP addresses that Host A is using.
•
•
•
•
•
•
Now that you know the source addresses of the ICMP DoS attack traffic, you can mitigate this attack by configuring an extended access list that blocks ICMP traffic from these address and applying it to the interface that is closest to the point that the traffic is entering your network.
Configure NetFlow Filtering and Sampling: Example
This example configuration contains the configuration commands required to use NetFlow filtering and sampling on the NetFlow router.
!hostname Router!ip cef!flow-sampler-map icmp-dos-fs-mapmode random one-out-of 2!!class-map match-any icmp-dos-class-mapmatch access-group 101!!policy-map icmp-dos-policy-mapclass icmp-dos-class-mapnetflow-sampler icmp-dos-fs-map!interface Ethernet0/0mac-address aaaa.bbbb.cc04no ip address!interface Ethernet0/0.1encapsulation dot1Q 5ip address 172.16.6.2 255.255.255.0service-policy input icmp-dos-policy-map!interface Ethernet1/0.1encapsulation dot1Q 6ip address 172.16.7.1 255.255.255.0ip flow egress!ip flow-capture fragment-offsetip flow-capture packet-lengthip flow-capture ttlip flow-capture vlan-idip flow-capture icmpip flow-capture ip-idip flow-capture mac-addresses!ip flow-top-talkerstop 5sort-by bytesmatch class-map icmp-dos-class-map!access-list 101 permit icmp any host 172.16.10.2!endWhere to Go Next
See the "Related Documents" section for links to configuration information about additional NetFlow features and services.
Additional References
The following sections provide references related to NetFlow Layer 2 and Security Monitoring Exports.
Related Documents
Overview of Cisco IOS NetFlow
List of the features documented in the Book Title configuration guide
The minimum information about and tasks required for configuring NetFlow and NetFlow Data Export
"Getting Started with Configuring NetFlow and NetFlow Data Export"
Tasks for configuring NetFlow to capture and export network traffic data
Tasks for configuring Configuring MPLS Aware NetFlow
Tasks for configuring MPLS egress NetFlow accounting
Tasks for configuring NetFlow input filters
"Using NetFlow Filtering or Sampling to Select the Network Traffic to Track"
Tasks for configuring Random Sampled NetFlow
"Using NetFlow Filtering or Sampling to Select the Network Traffic to Track"
Tasks for configuring NetFlow aggregation caches
Tasks for configuring NetFlow BGP next hop support
"Configuring NetFlow BGP Next Hop Support for Accounting and Analysis"
Tasks for configuring NetFlow multicast support
Tasks for configuring NetFlow Reliable Export With SCTP
Tasks for configuring NetFlow Layer 2 and Security Monitoring Exports
Tasks for configuring the SNMP NetFlow MIB
"Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data"
Tasks for configuring the NetFlow MIB and Top Talkers feature
"Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands"
Information for installing, starting, and configuring the CNS NetFlow Collection Engine
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Detecting and Analyzing Network Threats With NetFlow
Table 11 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Releases12.2(1) or 12.0(3)S or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Cisco IOS NetFlow Features Roadmap.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 11 Feature Information for NetFlow Layer 2 and Security Monitoring Exports
NetFlow Layer 2 and Security Monitoring Exports
12.3(14)T
The NetFlow Layer 2 and Security Monitoring Exports feature enables the capture of values from fields in Layer 3 and Layer 2 of IP traffic for accounting and security analysis.
The following sections provide information about this feature:
•
•
•
The following commands were modified by this feature: ip flow-capture, ip flow-export and show ip cache verbose flow.
Support for capturing the value from the fragment offset field of IP headers added to NetFlow Layer 2 and Security Monitoring Exports1
12.4(2)T
The fragment-offset keyword for the ip flow-capture command enables capturing the value of the IP fragment offset field from the first fragmented IP datagram in a flow.
NetFlow Top Talkers
12.3(11)T,
12.2(25)S
This document references the Top Talkers feature from the NetFlow MIB and Top Talkers feature documentation.
Please refer to Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands for complete information on using this feature.
Top Talkers uses NetFlow functionality to obtain information regarding heaviest traffic patterns and most-used applications in the network.
The following sections provide information about this feature:
•
The following commands were introduced by this feature: cache-timeout, ip flow-top-talkers, match, show ip flow top-talkers, sort-by, and top.
NetFlow Dynamic Top Talkers CLI
12.4(4)T
The NetFlow Dynamic Top Talkers CLI allows you to se an overview of the traffic characteristics on your router by aggregating flows based on the fields such as source IP address, destination prefix, and so forth.
The following sections provide information about this feature:
•
•
•
•
NetFlow Input Filters
12.3(4)T, 12.2(25)S
This document references the NetFlow Input Filters feature from the NetFlow Filtering and Sampling feature documentation.
Refer to Using NetFlow Filtering or Sampling to Select the Network Traffic to Track for complete information on using this feature.
The following sections provide information about this feature:
•
Random Sampled NetFlow
12.3(4)T, 12.2(18)S, 12.0(26)S
This document references the Random Sampled NetFlow feature from the NetFlow Filtering and Sampling feature documentation.
Refer to Using NetFlow Filtering or Sampling to Select the Network Traffic to Track for complete information on using this feature.
The following sections provide information about this feature:
1 This is a minor enhancement. Minor enhancements are not typically listed in Feature Navigator.
Glossary
data flowset—A collection of data records that are grouped in an export packet.
export packet—A type of packet built by a device (for example, a router) with NetFlow services enabled. The packet is addressed to another device (for example, the NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information about IP flows).
flow—A set of packets with the same source IP address, destination IP address, protocol, source/destination ports, and type-of-service, and the same interface on which flow is monitored. Ingress flows are associated with the input interface, and egress flows are associated with the output interface.
flowset—A collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine. There are two types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet.
NetFlow—Cisco IOS accounting feature that maintains per-flow information.
NetFlow Aggregation—A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.
NetFlow Collection Engine (formerly NetFlow FlowCollector)—Cisco application that is used with NetFlow on Cisco routers and Catalyst series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.
NetFlow v9—NetFlow export format Version 9. A flexible and extensible means of carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
template—Describes the layout of a data flowset.
template flowset—A collection of template records that are grouped in an export packet.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
