Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
NetFlow Or sFlow For Fastest DDoS Detection?
Threaded  |  Newest First  |  Oldest First
theb0x
100%
0%
theb0x,
User Rank: Ninja
1/26/2016 | 1:00:57 PM
NetFlow vs SFlow
My experience with either NetFlow or SFlow has been extremely poor with all the Sonicwall NSA series firewalls. Even the highest model such as the NSA 6600, the statistical data gathered is completely inaccurate in terms of internal or external bandwidth consumption. It is not possible to correct the issue due to lack of complete protocol support in the firmware Dell provides. Sonicwall uses incorrect active timeout packets. Even adjusting this timeout does not correct the issue. This applies to both NetFlow v5 and v9. This is because Sonicwall uses different Netflow9-packets which do not fully comply with the standard of Cisco Netflow 9 packets (for which all sensors are developed for). If you or anyone is looking for a reliable enterprise grade firewall that supports NetFlow or Sflow functionallity, do not use Sonicwall. At just under $20,000 dollars for a Sonicwall NSA 6600...lack of NetFlow support makes it complete garbage.
MikeK103
50%
50%
MikeK103,
User Rank: Apprentice
1/26/2016 | 8:30:06 PM
Re: NetFlow vs SFlow
Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard. It is fully compliant with the IPFIX standard. V9 is the precursor to the standard and has been the "de facto standard", but is missing some features like enterprise elements and variable length strings. Initially the exports did not have a proper active timeout, but this has since been remedied in more recent releases. This is NOT a limitation from sonicwall. This is a limitation of the collector you are using. Plixer's Scrutinizer fully supports all Sonicwall IPFIX exports and provides accurate bandwidth and L7 DPI reporting. Any collector that supports their enterprise elements should be accurate. As far as I know, Plixer is the only one with full support... This is the case with many IPFIX exports from other vendors as well. Full disclosure, I work for Plixer. If you have any questions, call Plixer and ask for me "mike k" and I'd be happy to go over it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/27/2016 | 10:31:51 AM
Re: NetFlow vs SFlow
"Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard"

Ok. This answers my previous question. Makes sense.
MikeK103
50%
50%
MikeK103,
User Rank: Apprentice
1/26/2016 | 8:30:15 PM
Re: NetFlow vs SFlow
Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard. It is fully compliant with the IPFIX standard. V9 is the precursor to the standard and has been the "de facto standard", but is missing some features like enterprise elements and variable length strings. Initially the exports did not have a proper active timeout, but this has since been remedied in more recent releases. This is NOT a limitation from sonicwall. This is a limitation of the collector you are using. Plixer's Scrutinizer fully supports all Sonicwall IPFIX exports and provides accurate bandwidth and L7 DPI reporting. Any collector that supports their enterprise elements should be accurate. As far as I know, Plixer is the only one with full support... This is the case with many IPFIX exports from other vendors as well. Full disclosure, I work for Plixer. If you have any questions, call Plixer and ask for me "mike k" and I'd be happy to go over it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/27/2016 | 10:27:36 AM
Re: NetFlow vs SFlow
"My experience with either NetFlow or SFlow has been extremely poor with all the Sonicwall NSA series firewalls. .." Is this about Sonicwall I wonder?
mduijm
50%
50%
mduijm,
User Rank: Apprentice
1/26/2016 | 1:26:29 PM
Neither of the two for enterprices
My experience with DDOS attacks so far is that the detection of SFLOW or NetFlow + the time to redirect the traffic to a cloud based solution is way too long for the environment to sustain, making the DDOS effective immediatly.


To me an inline DDOS solution that can inspect each and every packet up to the max. bandwidth of the environment is a much better solution. This is fast (< 5 sec. detection and blocking). When the attack becomes bigger then you can think of redirection of traffic into the cloud for mitigation over there. Some DDOS cloud providers now offer API's for on-premise DDOS boxes to send them an alert. Then they can start the redirection of traffic towards the cloud.

My believe this is the way forward for Enterprises and smaller ISP's to move forward. For bigger ISP's and Carriers I guess the above story is true.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/27/2016 | 10:30:29 AM
Re: Neither of the two for enterprices
"To me an inline DDOS solution that can inspect each and every packet up to the max. bandwidth of the environment is a much better solution. .."

That makes sense, what comes to my mind how this would impact the overall network performance.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/26/2016 | 11:21:50 PM
SLAC List of Network (both LAN and WAN) Monitoring Tools
I've only ever used Free and Open Source (FOSS) NMTs, and NetFlow and sFlow were never in my list of apps to review.  However, there are a large number of them out there and I highly encourage people seriously researching what is best for them to take a trip to the SLAC (Stanford Linear Accelerator Center) list of Network (both LAN and WAN) Monitoring Tools.  I've referenced this page for years and there is a nicely organized format ordered by year from 1996 to 2015 (as of my last visit) of over a hundred app, most with live links to the project pages.  I can't add the URL here, but if you search Stanford(dot)edu for "Monitoring Tools" you'll quickly find it.

Now, toward the question, I don't have to have used either to have an opinion; just based on experience with many of the soft solutions out there, I knew I wanted something more.  If you are attacking any major network analysis project, in-line monitoring is the only way to go.  Google it for plenty of good information on in-line bandwidth meters and network interface chips.  I've seen maker projects that built inexpensive in-line setups that would serve the purpose functionally, if not attractively!  Remember, full-duplex is ubiquitous...  Spend wisely and your network tap could become your best friend.    
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/27/2016 | 10:37:40 AM
Re: SLAC List of Network (both LAN and WAN) Monitoring Tools
"... you search Stanford(dot)edu for "Monitoring Tools" you'll quickly find it." I like open source option. I just checked it there are two many of them. Is there not any outstanding people use most often than others?
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/28/2016 | 10:27:54 AM
Re: SLAC List of Network (both LAN and WAN) Monitoring Tools
I think the value of that list as a general reference is more historical and evolutionary in nature.  For what folks prefer, SANS Institute papers and any one of the reputable security news websites (DR comes to mind) will have a breakdown of what is currently in popular use (or not popular, but recommended by respected InfoSec engineers).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/27/2016 | 10:25:19 AM
DDoS Detection?
Thanks, nice article, enjoyed reading it. It is sad that all we can talk about detection.


HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the &lt;KEY&gt;MYKEY&lt;/KEY&gt; substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.