DDoS Detection - Netflow Auditor

Using NetFlow Auditor to detect distributed denial of service attacks and other anomalies

netflow auditor anomaly detection forensics

Each attack has its own signatures and generation of general and specific traffic patterns. A Network Security Analyst and Performance Engineers need to have full traffic visibility to be able to analyze data from all perspectives to identify new kinds of attack signatures and to set up baselines on devices, interfaces, servers or locations to alert when changes occur.

NetFlow Auditor's ability to scale in Flow collection and flexibility makes it an ideal solution for various network usage auditing requirements. The NetFlow Auditor framework has Data Collection Tuning options that allow simultaneous collection of Real-Time and Long-Term data recording. The Long-Term data recording mechanism can be configured to store data in either increments of 5, 10, 15 30 and 60 minutes and Real-Time data is stored down to the minute for as long as disk space will allow. This enables NetFlow Auditor to be used for trending and baselining identification methods to find either short term attacks or longer slow denial of service attacks or other stealthy attacks.

NetFlow Auditor can perform analysis on any combination of data fields and measurement criteria; usage, packets, flows, packet size, utilization and record counts. Menu bars, right click drilldowns, baseline alerting, automated reporting template shortcuts all facilitate in providing rapid analysis to effectively measure usage, trending patterns, baselines, averages, peaks and troughs, and standard deviations so that fast and appropriate action can be taken to reroute the packets that fit the attack profile.

Netflow Auditor provides a number of tools to allow the netflow analyzer to achieve a high degree of visibility:

  • Peer-To-Peer content detection methodologies
  • Packet Size analysis
  • Count analysis
  • Standard Deviation analysis
  • Bi-directional analysis
  • Cross section analysis
  • Custom Group analysis
  • Baselining analysis
  • Percentile analysis
  • QoS analysis

These tools can be used to create multiple perspectives on Network data. Netflow Auditor provides a number of pre-configured forensics but it is not limited to these and templates provides you the power to extend Netflow Auditor.

Some of the pre-configured Security Forensics and Network Auditing include: Dissemination, DDoS Assessment, Botnet Assessment, TCP Flags, P2P Behavior, Packet Size, Spammy Application, Outlier Application, Unknown Application, Long Active, ICMPv4, IPv4 Multicast, Social Networks, Streaming Video.

Netflow version 9 originally defined by Cisco systems is an IP flow based traffic accounting protocol used to support various applications such as usage-based billing, traffic analysis, and capacity planning and network behavior anomaly detection. It is the basis for the IPFIX (IP Flow Information export) protocol

Netflow Auditor supports Cisco NetFlow versions v5, v7 and v9, IPFIX, sFlow, jFlow, NetStream, VMWare and Flexible NetFlow.

Netflow auditor enables complete IPv6 Business Groupings. This means that Netflow IPv6 is fully compliant with all using Netflow Auditor analytics, usage billing, 95th percentile billing, network anomaly detection, report scheduling, alerting, user portals and so much more.

This is everything you want from a Netflow analyzer? Simply download and register here and see for yourself why Netflow Auditor scales well beyond any other Netflow analyzer.