Total views : 618

Immediate Detection of DDoS Attacks with using NetFlow on Cisco Devices IOS


  • Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia


Background/Objectives: DDoS attacks are usually detected by analysis of the applications that are installed in or close to the current system are carried out. Methods/Statistical Analysis: Although this method is easy to deploy, but nonurgent and sensitive detection of DDoS attacks that reasons are first, the fact that the write current by interrupting the current collector is normally the data for application analysis creates pieces that caused a delay of several minutes to be recognized. Second, if the attack traffic may be strengthened by the process of sending the original package small enough to be part of a small stream. Findings: In this research paper will show how to detect DDoS attacks on the sender instead of the current collection, the data close to the source and immediate fashion, which had access to a streaming surveillance infrastructure with development needs. In this study, to examine whether the detection system may operate on the same network platform is widely deployed Cisco IOS devices. Since the ultimate goal of the research is to identify the attackers and its objectives, the use of NetFlow. Applications/Improvements: In this paper, the DDoS attack detection prototype has been shown to produce a constant load on the underlying platform, even under attack, stressing that detects DDoS attack can be a Cisco Catalyst 6500 models used in production networks.


Computer Network, Cisco IOS, Detection, DDoS Attack, NetFlow.

Full Text:

 |  (PDF views: 651)


  • Carl G, Kesidis G, Brooks R, Rai S. Denial-of-service attack-detection techniques. IEEE Internet Computing. 2006; 10(1):82-9.
  • Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mechanisms countering the dos and ddos problems, ACM Computing Survey(CUSR), 2007, 39(1), pp. 3.
  • Cloud Flare, Inc. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. 2014. Available from:
  • Claise B, Trammell B, Aitken P. Specification of the IP Flow Information Export (IPFIX) protocol for the exchange of flow information. Internet Engineering Task Force. 2013 Sept; 1-76.
  • Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B. An overview of IP flow-based intrusion detection. IEEE Communications Surveys and Tutorials. 2010; 12(3):43-56.
  • Hofstede R, Celeda P, Trammell B, Drago I, Sadre R, Sperotto A, Pras A. Flow monitoring explained: From packet capture to data analysis with Netflow and IPFIX. IEEE Communications Surveys and Tutorials. 2014; 16(4):2037-64.
  • Galtsev AA, Sukhov AM. Network attack detection at flow level. Proceedings of the 11th International Conference and 4th International Conference on Smart Spaces and Next Generation Wired/Wireless Networking; 2011. p. 326-34.
  • Nguyen HA, Tam Van Nguyen T, Kim D, Choi D. Network traffic anomalies detection and identification with flow monitoring. 5th IFIP International Conference on Wireless and Optical Communications Networks, Surabaya, WOCN’08; 2008. p. 1–5.
  • Muraleedharan N, Parmar A, Kumar M. A flow based anomaly detection system using chi-square technique. Proceedings of IEEE 2nd International Advance Computing Conference, IACC’10; Patiala. 2010. p. 285–9.
  • Hofstede R, Pras A. Real-time and resilient intrusion detection: A flow-based approach. Proceedings of the 6th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS’12; 2012. p. 109–12.
  • Hofstede R, BartosV, Sperotto A, Pras A. Towards real-time intrusion detection for NetFlow/IPFIX. Proceedings of the 9th International Conference on Network and Service Management (CNSM’130); Zurich. 2013. p. 227–34.
  • Follett J. Cisco: Catalyst 6500 the most successful switch ever [Online]. 2006. Available from:
  • Hofstede R, Drago I, Sperotto A, Sadre R, Pras A. Measurement artifacts in NetFlow data. Proceedings of the 14th International Conference on Passive and Active Measurement (PAM’13); 2013. p. 1–10.
  • Cisco Systems, Inc., Catalyst 6500/6000 switch high CPU utilization [Online]. 2012. Available from:
  • Wong DH, Chee CM. Usable, flexible and adaptive network data visualization design for multiple levels of computer users. Indian Journal of Science and Technology. 2015; 8(15):1-7.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.