Welcome to SolarWinds blog series “Diving Deeper with NetFlow – Tips and Tricks”. This is the second part of the 6 part series where you can learn new tips by understanding more about NetFlow and some use cases for effective network monitoring.


 

In the previous blog, we had discussed about NetFlow and its uses in troubleshooting network issues, and maintaining organizations network uptime. In this blog we will throw some light on Network Anomaly Detection and how NetFlow helps Network Administrators analyze and monitor network traffic in a precise way.

 

 

 

Many of the biggest threats to enterprise networks today are related to breach of network. Enterprises of all sizes are facing unique network related issues related to Malware attacks, Distributed Denial of Service (DDoS), and new applications all of which can be hard to detect.  Network Administrators can use NetFlow and other flow technologies to monitor and detect abnormal network traffic patterns that may be a sign of these threats.


 

What can cause a Network Anomaly?

 

Two common ways that a network anomaly can be introduced are through telecommuting and Bring Your Own Device (BYOD).  Both increase the risk of malware being introduced directly into your network after having been infected through an external source. Additionally, your network could be hosting a bot that was introduced through one of these sources.


Network Anomaly Detection

 

In an enterprise network, administrators normally try to secure their network by having an Intrusion Detection/Prevention System (IDS/IPS) which collects data and operates on signatures to identify threats while routers and the firewalls  work based on access control rules defined by users. If there is a zero-day malware that enters your network, it can be very hard to detect an anomaly by routers, firewalls or even your IDP/IPS systems. A bot, hosted on your network, won’t be detected through firewalls or IDS or IPS because they track only the inbound traffic. A more expensive alternative is to use a non-signature IDS/IPS system.

 

 

Finding out an anomaly in your network can be difficult, but there are the symptoms such as sudden network traffic drop, network traffic behaves off-baseline, unusual peaks, traffic abnormally focused on certain parts of network/ports, and new applications hogging most of the bandwidth or generating abnormal traffic patterns. Some peculiar cases are High SMTP traffic, Short burst of packets, one host to many on same ports, Traffic on unknown ports, too many TCP SYN flags.

 

 

 

By collecting flow data and analyzing the traffic patterns and unexpected traffic behavior, the network administrators can detect anomalous traffic. By investigating and isolating excessive network bandwidth utilization and unexpected application traffic, network administrators can find out and prevent network anomalies. By diagnosing specific time periods in the NetFlow records you can find what happened during the outage. By using NetFlow analyzer, you can understand more about the abnormalities and maintain an effective network.

 

 

 

To learn more about NetFlow, check out our NetFlow V9 Datagram Knowledge Series.

 

 

 

Watch the entire ‘Diving Deeper with NetFlow – Tips and Tricks’ webcast here and become an expert in understanding and implementing NetFlow in your enterprise networks.