IP Cache Flow - Find Abusive Hosts

Posted on in Networking

If you're on a router that does a lot of traffic, finding the source (or destination) of abusive hosts can be problematic. The output from show ip cache flow can be extremely long and finding anything useful can take a very long time. The following IOS regular expressions (regexes?) can help you find flows that are generating a lot of packets:

show ip cache flow | inc M$ 
show ip cache flow | inc K$ 

The first command finds flows that have involved millions of packets. The second finds flows that have involved thousands of packets. This command might be useful in discovering the source or destination of a Denial of Service (DoS) attack. Obviously, this doesn't help much in a Distributed Denial of Service (DDoS) attack involving lots of different source hosts and many different flows. In the case of DDoS, perhaps a wc equivalent would be more useful...

My Bookshelf

Reading Now

Other Stuff