Subject: RE: [Flow-tools] Strange Router Export Issue
From: Robert S. Galloway (securityguy@ikano.com)
Date: Fri May 20 2005 - 11:11:59 CDT
There are definitely very few inactive flows, 17 compared to 65519 active. I'm already running the active timeout at 1 minute. Is there any way to increase the available cache? Robert "You have enemies? Good. That means you've stood up for something, some time in your life." -- Winston Churchill _____ From: Adam Powers [mailto:apowers@lancope.com] Sent: Thursday, May 19, 2005 6:25 PM To: Robert S. Galloway; flow-tools@splintered.net; flowscan@net.doit.wisc.edu; cuflow-users@columbia.edu Subject: Re: [Flow-tools] Strange Router Export Issue Check the cache size/health on the 7206. A DoS with small packets sent at high rates from random sources to random destinations will cause the cache on the 7206 to thrash resulting in a large number of new flows without a obvious shift in traffic characteristics. Do a "sh ip cache flow" and see how many inactive flows you have. If you have none or very few, the cache is probably full. This will force the 7206 to unnaturally expire flows before the inactive/active timeouts. Generally not a good thing. You can try lowering the active timeout a bit. I usually recommend 5 minutes by default. You can also try checking other things like the invalidation rate for cache ager polls. On 5/19/05 12:45 PM, "Robert S. Galloway" <securityguy@ikano.com> wrote: Howdy everyone, I've got a strange issue that is just perplexing me. Basically here's my setup: I've got two 7513's and one 7206. Each has one internet DS-3. The 7513's also support other customer connections, but the 7206 is just the DS-3. Starting a couple of days ago, the 7206 started sending HUGE numbers (10x normal) of flows to my flow-collector. I've dug into the raw flow files and I just don't see anything strange. All three routers carry about the same traffic load according to bandwidth, but the flows are out of the ball park for the 7206. It's almost like the router is counting traffic multiple times, but the config didn't change when this started. Anyone have any ideas on where I should look? Thanks, Robert S. Galloway Chief Network Security Engineer IKANO Communications Network Operations Department ...the team behind the machines securityguy_AT_ikano.com 801-415-8089 "You have enemies? Good. That means you've stood up for something, some time in your life." -- Winston Churchill _____ _______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools -- Adam Powers Director of Technology Lancope, Inc. c. 678.725.1028 f. 770.225.6501 e. apowers@lancope.com StealthWatch by Lancope - Security Through Network IntelligenceT
This archive was generated by hypermail 2b25 : Fri May 20 2005 - 11:16:48 CDT