[gnso-ff-pdp-may08] Improving network visibility/netflow

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

So during today's call the issue of what it means to "improve
an ISP's network visibility" and I promised to send along verbiage.
Here it is...

>> The Issue

Many ISPs (including those being abused by malicious fast flux 
networks) are effectively operating their networks "blind." 

That is, they do not have the technical ability to determine
what traffic is flowing over their networks, and that includes
things like traffic to or from botted hosts being used as fast
flux nodes.

Moreover, if they learn from *external sources* that they have 
botted users, they don't have the technical ability to confirm 
those reports, nor the ability to "look upstream" to see who's
feeding/using their botted/fast flux nodes.

This is not true for all or even most networks. Most networks DO
collect network flow data, normally known as "netflow" or "sflow"
data. Netflow is NOT a full packet capture. Netflow only records:

-- the source IP address
-- the destination IP address
-- the source port
-- the destination port
-- the IP protocol
-- the number of bytes transferred
-- the elapsed time

and some other stuff that's less commonly used, it does not look
at packet contents. 

If you routinely collect netflow data, and you have a customer who's 
being abused as a fast flux node, you can see the backend connections 
that are being made to that fast flux node from the upstream fast flux 
"mothership" and by doing that you can take appropriate action to
protect not just that one host, but all nodes on your network. 

>> So What's the Best Common Practice/Recommendation?

"ISPs should be doing netflow/sflow so they have the technical capacity 
to identify and investigate botted hosts, such as fast flux network 
nodes, on their network."

Regards,

Joe