One of our objectives for this year was to get a better trending of network traffic and flows for capacity planning, colo planning and attack mitigation.
The NetFlow tool we’re using also allows me to run a report of top destination ASNs, or networks we send the most amount of traffic to as well as a bunch of other reports, three of which I’ll show below.
(Incidentally, this is the best tool I’ve come across for the price, and yes, I know there are free open source solutions but I’ve never found cflowd or others easy to setup.)
Because of our traffic dispersion, the top twenty destination sites typically get between 1-4Mbps. All of the other traffic is lumped into “Other” with end networks getting far less than 1Mbps. None the less, this gives an interesting idea of where our users are, by bandwidth.
Single Day, Top Destination ASNs
This first report, below, was run for a day’s worth of traffic and represents traffic generated from San Jose and Amsterdam, ranked by destination ASN.
What I find really interesting is that, excluding SBC, you don’t hit any US networks until #11 and Latin America shows up a lot and accounts for a lot of traffic (telmexchile.cl is related to telmex which services México, Argentina, Brasil, Colombia, Chile, Perú and the US so that 15Mbps could represent more than just Chile - the ASN is registered to .cl, however).
Single Day, Top Destination ASNs
| Rank | Bandwidth | Destination ASN |
|---|---|---|
| 1 | 15.77Mbps | telmexchile.cl |
| 2 | 4.65Mbps | SBIS-AS Southwestern Bell Internet Services |
| 3 | 4.57Mbps | gtdinternet.com [appears to service all of Chile] |
| 4 | 4.45Mbps | Deutsche Telekom |
| 5 | 3.41Mbps | N3 Service provider (.co.uk provider) |
| 6 | 2.99Mbps | France Telecom |
| 7 | 2.86Mbps | China Telecom |
| 8 | 2.24Mbps | Uninet S.A. de C.V. (.mx) |
| 9 | 2.17Mbps | Polish Telecom |
| 10 | 2.08Mbps | Embratel (.br) |
| 11 | 2.06Mbps | Cox Communications (.us) |
| 12 | 1.98Mbps | Verizon |
| 13 | 1.85Mbps | Comcast (.us) |
| 14 | 1.82Mbps | Charter (.us) |
| 15 | 1.56Mbps | bharti.com (.in) |
| 16 | 1.52Mbps | Czech Nations Research |
| 17 | 1.43Mbps | Turk Telekom |
| 18 | 1.30Mbps | Qwest |
| 19 | 1.27Mbps | Arcor IP-Network (.de) |
| 20 | 1.17Mbps | Shaw (.us) |
Seven Day, Top Destination ASNs
This second one is a long-term, 7 day (Apr 25 - May 02), report showing the same but separated out for San Jose and Amsterdam.
San Jose
| Dest. ASN | Average | % of Total |
|---|---|---|
| 3320 (AS3320 Deutsche Telekom AG) | 4.81 Mbps (338.47 GB) | 2% |
| 7132 (SBIS-AS Southwestern Bell Internet Services) | 4.3 Mbps (302.78 GB) | 2% |
| 680 (DFN-WIN-AS Deutschef Forschurgsnetz) | 2.9 Mbps (204.02 GB) | 1% |
| 19262 (VZGNI-TRANSIT Verizon Global Networks) | 2.78 Mbps (195.76 GB) | 1% |
| 3215 (AS3215 France Telecom Transpac) | 2.44 Mbps (172.04 GB) | 1% |
| 12322 (PROXAD AS for Proxad ISP) | 1.92 Mbps (135 GB) | <1% |
| 5617 (AS5617 TPNET) | 1.87 Mbps (131.35 GB) | <1% |
| 22773 (CCINET-2 Cox Communications Inc. Atlanta) | 1.78 Mbps (125.49 GB) | <1% |
| 3269 (ASN-IBSNAZ TELECOM ITALIA) | 1.4 Mbps (98.52 GB) | <1% |
| Others | 127.71 Mbps (8.78 TB) | 66% |
Amsterdam
| Dest. ASN | Average | % of Total |
|---|---|---|
| 3320 (AS3320 Deutsche Telekom AG) | 1.17 Mbps (82.25 GB) | 3% |
| 12322 (PROXAD AS for Proxad ISP) | 449.05 kbps (31.62 GB) | 3% |
| 19262 (VZGNI-TRANSIT Verizon Global Networks) | 434.97 kbps (30.63 GB) | 1% |
| 36856 (Mozilla-San Jose) | 403.91 kbps (28.44 GB) | 1% |
| 90 (SUN-AS Sun Microsystems, Inc.) | 398.93 kbps (28.09 GB) | 1% |
| 4134 (ERX-CHINALINK Data Communications Bureau) | 390.89 kbps (27.52 GB) | 1% |
| 2856 (BT-UK-AS BTnet UK Regional network) | 345.37 kbps (24.32 GB) | <1% |
| 9121 (TTNet TTnet Autonomous System) | 328.89 kbps (23.16 GB) | <1% |
| 3209 (Arcor IP-Network) | 322.89 kbps (22.73 GB) | <1% |
| Others | 14.11 Mbps (993.71 GB) | 41% |
Top sites by unique address
This third report (which I thought was more interesting in it’s original format that in just text, so excuse the large image), which I ran a couple weeks ago for just San Jose, breaks down unique number of destination address for each source address.
This one is interesting because it shows that most traffic’d website (by unique end users) is fxfeeds.mozilla.org (default live bookmarks RSS feed in Firefox) at a peak of nearly 1000 unique IP addresses/second followed by addons.mozilla.org (the next two are the Citrix Netscaler GSLB probes).
So I have no real conclusion. Data’s interesting in different ways to different people. Enjoy!
Comments (3)
Being a little Captain Obvious, if you added up all of the US networks later in the list, I think they would be #2. So it’s not like Americans don’t visit Mozilla’s websites, it’s just that there are a lot of American ISPs.
Interesting how much traffic the Deutsche Telekom gets. But it happens to be the biggest ISP in Germany so they have a lot of customers and resellers as well.
The Deutsches Forschungsnetz, in turn, is the combination of the German university networks, so these hits happen from somewhere on German university campuses.
I may be mistaken, but I think that the 20th position, Shaw Communications Inc., represents Canadian traffic. That is not shaw.com or shaw.us, but shaw.ca.