Using sFlow for Security Analytics

Nirav Shah
By | October 08, 2014

Posted in: Network Security Trends , Hosting Provider DDoS Protection

sFlow (sampled flow) is a scalable protocol for statistical monitoring of a network.  When used for security monitoring, it can provide valuable insight for establishing baseline behavior and identifying deviations from the baseline.  Security administrators can be alerted when an anomaly is detected and investigate whether new security policies should be applied.

The charts below are examples of how sFlow is used to detect Distributed Denial of Service (DDoS) attacks.This snapshot shows a SYN flood attack that occurred on a hosting provider between 12 pm and 12:30 pm.  The charts were constructed using sFlow data collected from the Corero SmartWall® Threat Defense System during the attack.  The charts show anomalies in the following three areas:

  • Source and destination IP Addresses

  • Source and destination ports

  • Time To Live (TTL) values and sizes of the packets

Top Charts - sFlow activity during a SYN flood attack - Annotated

First, there is a definite deviation in source and destination IP addresses during the attack.  There is no dominant source IP address, which indicates that a large number of spoofed IP addresses were sending traffic to the victim’s servers during the attack.  Also, these attackers were targeting two specific servers,  indicated by the blue and yellow lines in the “Top Destination IP Addresses” chart.  Note that the destination IP addresses have been anonymized to the private address space  to hide  the identity of the hosting provider.

Second, there are no dominant source and destination ports during the attack.  This indicates that the attack was destined for open firewall ports and was cycling through a large range of source ports, in an attempt to evade any stop gap measures that a security admin could take during an attack.

Finally, TTL values 237, 238, and 239 are dominant during the attack.  This means that while the attacker IP addresses may have been spoofed, the attack was coming from the same location ofthe Internet.  Further, close to 90% of the traffic contained packet sizes of 46 bytes, an indication of a volumetric flood using small packets.  In fact, the packets per second values tripled during the attack.

So, as you can see, using sFlow provides invaluable insight into attacks and threats without having to necessarily configure security policies.  This type of turn-key DDoS analytics enables security administrators to detect anomalies and take corrective action to mitigate any possible threats lurking in their environments.

To learn more about other turn-key DDoS analytics techniques, please check out the “Corero DDoS Analytics App for Splunk” at  Corero is showcasing this app and the Corero SmartWall Threat Defense System at .conf2014 ( from October 6th to October 9th.

You May Also Be Interested In: