Correlating NetFlow Data for Proactive Security: Network Notoriety

January 18, 2012 - 5 Comments


In this short article the reader will first learn what NetFlow is and how it works. Next the reader will understand how it can be as an important security tool. Finally, a technique for correlating NetFlow results with public sources of Internet reputation, along with the tool “Netoriety,” which implements the technique, will be introduced and explained.

Ok, I’m here, now give me the quick version — what is NetFlow?

NetFlow is a UDP-exported network profiling protocol originally developed by Cisco Systems in 1996. It enables participating devices (typically routers and switches) to report telemetry data on the network traffic flowing through them (such a device is called a NetFlow exporter). This data is sent to a downstream machine, called a NetFlow Collector:

The data can then be collated, sorted, analyzed, trended, and so on. The most widely deployed version of NetFlow, version 5, offers the capability to track the following flow data (the traditional Cisco 7-tuple is highlighted in blue):

NetFlow version 9 introduced much more power with the capability to dynamically change the packet format using templates and match on just about anything using Flexible NetFlow.

If packet capture can be thought of as a wiretap, NetFlow can be considered the phone bill. NetFlow allows the Network Administrator and Security Practitioner to determine:

  • Who is talking to who
  • Over what ports (or protocols)
  • For how long
  • At what speed

It is obvious this sort of data can be useful in spades for organizations that need to do traffic shaping, profiling, and metering. We will see that it is also useful to add additional layers of network security.

I’m slightly interested, but why is NetFlow important to the security of my network?

By vastly increasing the awareness of what is going on in a network, the security-related benefits of NetFlow are numerous. Some of these include:

  • The Everything’s OK Alarm: NetFlow can be used to record a baseline traffic snapshot that meets your site’s policy guidelines. Subsequently, if something deviates from that norm, your NetFlow collector can alert you about the problem and give you details on the machine causing it.
  • Data Mining for Misuse: NetFlow flows, when aggregated, can provide an excellent target for data mining. Suspicious, unusual, or even illegal behaviors can be tracked and trended.
  • Detecting Denial of Service attacks: Companies like Arbor Networks use NetFlow to power their Distributed Denial of Service detection and prevention tool, Pravail.
  • Incident Response: NetFlow excels at providing audit and actuarial data for security incidents. For example, if a Cisco IPS fires on a malevolent packet, NetFlow data can provided much needed context on the flow or flows that precede, contain, and follow the attack.

You make some good points, but how can I extend NetFlow’s abilities?

The Internet isn’t all cake, parties, rocket ships, and dinosaurs. As you know, it also has its share of seedy villains and outright evildoers; the kinds of folks you just don’t want anything to do with: spammers, botnet command-and-control hosts, worm- and malware-infected hosts, porn and warez hosting sites, and so on. If this type of traffic was traversing your network, you’d probably want to know about it right away. We’ve learned that NetFlow can tell us who is talking to who across our network, but how can we tell if either who is a bad actor? By checking the reputation of the IP addresses at both ends of the conversation.

IP-Based Reputation

All Internet traffic must originate from an IP address. For malevolent traffic, if it can be sourced, it can be tracked (yes, we are turning a blind eye to the vagaries of IP spoofing and attackers hiding behind proxies). There are a plethora of organizations that use various criteria and methods to rank, rate, and score IP addresses with respect to how “notorious” they are. More specifically, if a given IP address is known to be that of a spammer or a part of a botnet army it can be flagged in one of the ill repute databases, often with a numeric score contextual to the rating system. For example, Cisco’s IronPort uses an integral system from -10 for the worst offenders to +10 for the most angelic. Another vendor, ReputationAuthority has a slick interface for querying individual IP addresses against their reputation database. There are many open source variants as well, such as SpamRats, SpamCop, and Spamhaus.

Since these databases are all keyed on IP address, NetFlow data can be correlated against them and subsequent malicious traffic patterns can be observed, blocked, or flagged for further action. This is NetFlow Correlation.


Netoriety (amalgamation of network and notoriety) is a proof-of-concept tool built by Cisco’s Applied Security Research team to demonstrate the concept of NetFlow Correlation. It is designed to work as a special NetFlow collector that issues alerts if it detects any traffic flows of contemptuous reputation. The central component of Netoriety is its bad actor database. This is a Kyoto Cabinet-based key/value store (built using a separate tool) designed to work with any IP reputation database that keys off of v4 IP address. Additionally, if reputation scores are available, Netoriety can optionally be configured to trigger an alert if a tunable threshold is met.

To the NetFlow exporter, Netoriety looks and acts like any old NetFlow collector. The flow of control is shown below:

Currently, when a match is found in its database, Netoriety can issue console- and syslog-based alerts on the localhost, and XML-based alerts to a remote host. SNMP trap functionality is planned.

Netoriety Internals

Netoriety is C-based NetFlow collector written for Unix-like operating systems. It is built on top of the following open source libraries:

Each entry in the bad actor database is of the following structure:
struct internet_bad_actor_record
    uint32_t ip;                    /* ip address (mandatory) */
    uint16_t type;                  /* type of bad actor (optional) */
#define REP_REPUTATION     0x0001   /* has reputation score */
#define REP_BOT            0x0002   /* botnet host */
#define REP_IRCBOT         0x0004   /* irc bot */
#define REP_CONFICKER      0x0008   /* conficker host */
#define REP_ROUTER         0x0010   /* router */
#define REP_PROXY          0x0020   /* proxy */
#define REP_DARKNET        0x0040   /* darknet */
#define REP_WAREZ          0x0080   /* host known to traffic warez */
#define REP_UNKNOWN        0x0000   /* uncategorized or unknown bad actor */
    int8_t reputation;              /* reputation score (optional) */
#define REP_REPUNKNOWN     0xb0     /* hopefully this won't be used */
    uint8_t action;                 /* recommended action (optional) */
#define REP_ACTION_DROP    0x01     /* recommended action: should drop */
#define REP_ACTION_MONITOR 0x02     /* recommended action: should monitor */
#define REP_ACTION_BLOCK   0x04     /* recommended action: should block */
    uint8_t source;                 /* source of data (optional) */
#define REP_SRC_PRIVATE    0x01     /* private or unlisted source */
#define REP_SRC_CISCOIBRS  0x02     /* Cisco IBRS */
    time_t timestamp;               /* timestamp (optional) */
    char comments[80];              /* short textual comments (optional) */
typedef struct internet_bad_actor_record bad_actor_t;


Netoriety Console

Netoriety is a real-time application. It multiplexes across the network and the keyboard to look for input to act upon. For example, if the user presses ‘c’ to bring up the console, the following screen will pop up and give some situational and statistical information:

|                            Netoriety console                            |
|local time:                    Fri Dec 16 14:13:47 2011
|uptime:                        196 days 1 hour 2 minutes 37 seconds
|listening at:                  any UDP/9995
|process ID:                    27000
|bad actor db:                  ../netoriety-db/bad_actor.kch
|alert modules active:          console XML
|XML alert host at:    UDP/9999
|logging disposition:           debug
|flows   (v5):                  92513136
|flows   (v9):                  0
|packets (v5):                  3160575
|packets (v9):                  0
|bad actors:                    8054
|bots:                          0
|irc bots:                      188
|conficker:                     7868
|router:                        0
|proxy:                         0
|darknet:                       0
|warez:                         0
|unknown:                       0
|octets read:                   4516484328
|db hits:                       8054
|db misses:                     185018218
|alerts sent:                   7942


Netoriety XML Alert

If so configured, Netoriety can issue XML alerts over UDP to a host. These alerts can be used by the administrator to take action based on Netoriety’s recommendation (“recommended action”), or just logged for later use. While there is currently no schema exists, the basic alert structure is shown below:


type=“start”>2011-12-16 11:55:45</Timestamp>
type=“end”>2011-12-16 11:56:00</Timestamp>

                    <Type number=“6”>tcp</Type>


                <Address type=“source”>mmm.mmm.mmm.mmm</Address>
code=“5”>drop, block</RecommendedAction>
type=“source”>2011-03-31 04:10:59</Timestamp>
srcport: 45166; destaddr: fff.fff.fff.fff</Comments>




I trust you’ve found this article a bit interesting, if not somewhat life-changing. We’ve learned how to extend NetFlow from issuing telemetry data to providing an additional layer of security comfort. Finally, to answer the burning question of where and when you can get your fingers on the code, at the time of this writing, Netoriety is currently an under development prototype project and is not available for public download. If you need a tool to play with, NFDUMP is an open source package containing many easy to use NetFlow related tools. Until next time, my friends.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. The combination of edge to core visibility (That Netflow can provide) and a heuristics engine to help make sense of it all is a powerful way to enhance your layered security strategy.

  2. My First On the job training in 1999, I discovered Netflow by just searching in…I downloaded a trial collector and configure my work router from Collins & Leahy…and never looked back ever since…I love netflow….its just getting better

  3. This is great Netflow.

  4. thanks sir

    i prepare now to CCNP SEC , really I benefited greatly from this article

  5. Thanks for the post! I know a few people I will be passing this link to.