Will Exporting Netflow Impact My Device?

One question I hear all the time is “If I enable the exporting of Netflow on my router or switch, will it impact performance?” Yes it will, but usually not by enough to discourage you from including Netflow datagrams in your network analysis plans.

According to this document, released by Cisco, if you have…

  • 10000 (ten thousand) active flows in the cache you can expect no more than a 4% increase in CPU utilization.
  • 45000 (forty-five thousand) active flows in the cache you can expect no more than a 12% increase in CPU utilization.
  • 65000 (sixty-five thousand) active flows in the cache you can expect no more than a 16% increase in CPU utilization.

Also, sampled Netflow will significantly decrease CPU utilization to the router. According to Cisco:

On average sampled NetFlow 1:1000 packets will reduce CPU by 82% and 1:100 sampling packets reduce CPU by 75% on software platforms. The conclusion is sampled NetFlow is a significant factor in reducing CPU utilization.

That being said, sampling Netflow won’t give you the whole picture, just a tiny piece of the flow puzzle.

More information can be found here and here.

links for 2008-08-15

Cyberwar or Media Hype?

Note – I am not taking sides in the Georgia/Russia conflict as I think the governments on both sides are equally acting like children.

In reading this article entitled How I became a soldier in the Georgia-Russia cyberwar, I started thinking about the validity of so called Cyber Warefare. Is it media hype because it’s the new sexy topic to discuss (i.e. the new generations Cold War) or is it actually happening? We truly haven’t seen concrete results from either camp and I’m not sure if we ever will (*cough* WMD’s *cough*).

The article describes how easy it was for the author to find out how to attack the Internet infrastructure of a foreign nation. (I won’t even touch the topic of someone downloading a webpage and accessing it on their system – that’s another article entirely). From the article:

Not knowing exactly how to sign up for a cyberwar, I started with an extensive survey of the Russian blogosphere. My first anonymous mentor, as I learned from this blog post, became frustrated with the complexity of other cyberwarfare techniques used in this campaign and developed a simpler and lighter “for dummies” alternative. All I needed to do was to save a copy of a certain Web page to my hard drive and then open it in my browser. I was warned that the page wouldn’t work with Internet Explorer but did well with Firefox and Opera. (Get with the program, Microsoft!) Once accessed, the page would load thumbnailed versions of a dozen key Georgian Web sites in a single window. All I had to do was set the page to automatically update every three to five seconds. Voilà: My browser was now sending thousands of queries to the most important Georgian sites, helping to overload them, and it had taken me only two to three minutes to set up.

Now this really made me think. If there is a Cyber War going on in Georgia, how can we be certain that the attacks originate from Russia and not sympathetic expatriates in the Western hemisphere? How can we be sure that the attackers are not opportunistic attackers looking to exploit an attack vector that will be blamed on an entire nation? How can we be sure that the Georgian army isn’t taking their own infrastructure offline in order to draw sympathy to their cause?

From the article:

In less than an hour, I had become an Internet soldier. I didn’t receive any calls from Kremlin operatives; nor did I have to buy a Web server or modify my computer in any significant way. If what I was doing was cyberwarfare, I have some concerns about the number of child soldiers who may just find it too fun and accessible to resist.

The bottom line is that we can’t be sure of any of these issues without extensive network and system monitoring. I’m not talking about watching the traffic and logs for one or two sites, but rather a city-/region-/country-/nation-wide monitoring infrastructure with centralized consolidation of information for trending and situational awareness. This type of infrastructure allows nations to detect probing of their infrastructure (a.k.a. reconnaissance), help determine the source of the attackers (a.k.a. intelligence), and ultimately help mitigate the attack (a.k.a. digging in).

Scroll to top