TR-20 - Port evolution, a software to find the shady IP profiles in Netflow

TR-20 - Port evolution, a software to find the shady IP profiles in Netflow

Back to Publications and Presentations

  1. Scope
  2. Document
  3. Contact
  4. Classification of this document
  5. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member


Netflow records are frequently used for accounting purposes in large Networks. Most router are capable of exporting Netflow data. In CIRCL’s Netflow research program we collaborate with partners having large networks willing to exploit Netflow data for monitoring their infrastructures regarding information security incidents. The following objectives are addressed:

  • Validate Received Information Incident response teams or abuse handling teams receive information about incidents such as compromised hosts in their networks. Incident related information is sometimes volatile and quickly outdated. Therefore, it is essential to quickly validate received information. Netflow data can be used to validate this kind of information.

  • Measure the Impact Incident response teams or abuse handling teams including the technical support teams have often limited resources and some tasks must be prioritized. In addition, abuse handling teams have multiple choices of actions. A harsh action for instance is to null route a host in a network. In order to facilities the choices, Netflow data often helps if it is presented in a proper way.

  • Identify Victims Netflow data can frequently be used to identify victims that were targeted by compromised hosts in the monitored network.

  • Detect Incidents Compromised systems are frequently reported by third parties. However, Netflow data can also be used to detect them in a proactive way.

In CIRCL’s Netflow research program CIRCL technically support their partners to develop practical and customized solutions with the interest to improve the overall information security.

In the document below, IP addresses were randomized using Cryptopan.



In case you would like to participate in this project as an ISP or a hosting company, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 February 18, 2014 Initial version (TLP:AMBER)