Sampled NetFlow

From wiki.comcert.com
Revision as of 09:48, 28 November 2020 by Bert (talk | contribs)
Jump to navigation Jump to search

Introduction

NetFlow was designed to process all IP packets on an interface and to report on metrics such as source and destination of traffic, class of service, and the causes of congestion. 

Increasingly higher traffic rates mean higher numbers of NetFlow records and increasing load on exporting device resources.  The increasing number of records may require too much bandwidth when send over the network to the collector.  Therefore, it may become necessary to find a balance between reporting needs and device and network efficiency.  Vendors may recommend or even force the use of Sampled NetFlow on some of their devices.

NetFlow was designed by Cisco in the late 90's and Cisco still owns the term NetFlow.  This artice applies to all varieties of NetFlow that support sampling.  

 

Solution

Bit Rate and Packet Rate Calculation

Compared to SFlow, NetFlow lacks the ability to report metrics such as bit rate (bps) and packet rate (pps) exactly as it is.  A single NetFlow record reports flow duration and a number of metrics such as the number of bytes and packets transferred during that time interval.  The NetFlow reporter calculates to its best abilities bit rate and packet rate based on that information.  Especially with NetFlow Sampling at a rate that is not adapted to the speed of the interface, will compromize the exactitude of that calculation, even when all other precautionary measures such as "active time-out" are being implemented.

 

Sampled NetFlow

A sampling rate of 1 out-of 100 may reduce the exports of NetFlow records by as much as 50%.  You must keep in mind that the collector will only receive a small percentage of the traffic and will use the sampling rate to "inflate" the metrics for # bytes and # packets reported.

 

Impact

Tools for flow-based network analysis are used to monitor and baseline network behavior and increasingly by security teams to detect persistent threats.  Sampling rates that are not adapted to the speed of the interface may lead to inaccurate reporting of quantitative metrics such as bit rate, packet rate and utilization.  It may also lead to some short-lived flows no longer being reported at all.  When security professionals need to go back in time, the flows they want to investigate may no longer be there.

 

Using Sampled NetFlow

  1. The use of Sampled NetFlow instead of "regular" NetFlow will always come at a cost.  Use Sampled NetFlow only if you must.  This could be the case when monitoring a high-speed interface (n x Gbps), limited network capacity or when the device's vendor forces you to use a sampler.
  2. Start at sampling rates 1 out-of tens or 1 out-of hundreds.  Rates lower than 1:100 are seldom acceptable. 
  3. Validate the data reported.  Compare metrics such as bit rate and packet rate against the same metrics obtained by other tools such as SNMP plotters.  You must find a balance between sampling rate and report exactitude.
  4. Please realize that the "raw" flow records database, maintained by some collectors will probably be incomplete.  Your tool may no longer be suitable for forensic flow analysis by the security team.
  5. If device/network efficienty is a concern to you, and SFlow is an option, use SFlow instead of Sampled NetFlow.

 

 

Retrieved from "https://wiki.comcert.com/index.php?title=Sampled_NetFlow&oldid=6769"