14

Security Applications of cflowd
Link-layer Tracing with cflowd

    NetFlow output contains next-hop router in addition to SRC/DST IP addresses.

    Given cflowd server-to-router map, query and recursively trace through previous-hop routers.

    Denial-of-service tracing,
    • forged-source DoS attacks (remember, metrics can be persistent)
    • yes, there is the issue of interrealm trust. It's workable on a small scale. Others are working on the generic scalable solutions.