nanog mailing list archives
Is current DDoS detecting method effective?
From: Joe Shen <joe_hznm () yahoo com sg>
Date: Mon, 7 Mar 2005 09:13:14 +0800 (CST)
Hi, I use flow-tools to monitor the link bandwidth utilization on three backbone interfaces. The total bandwidth utilized is about 11Gbps, and netflow data is analyzed to show statistics on some special port (e.g. port 0, port 445 etc.). I think this could give us some indication of possible DoS attach, but it's hard to monitor DoS attack on all hosts or all ports. In fact, I'm not sure whether traffic monitoring could REALLY help to identify some DoS attack, esp. in ISP networks. My questions include: 1) what should be protected in ISP networks? the ISP's own network or both ISP's network and its customers? I think the answer is, ISP should only care about the safety of its own network, which should be overprovisioned ( not only link bandwidth but also CPU/MEM etc.); we could use some technique like reverse route checking and ACL to immunize those core router/switch from DoS. 2) What's the cost should we take to identify any possible DoS in ISP network? I think it will cost a lot if we keep monitoring traffic on all edge routers ( both to backbone network and to customers), because we have to set up traffic monitoring on all interfaces and we have to set up analysis hosts whose ability have to be increased time to time. While the gainback is not obivious ( at least Botnet could not be crashed easily). 3) Is those technique use in current days really effective ? Where can I find some theretical analysis on the method Arbor used to identify DoS? To my experience, network attack is continuous. I do a experiment in our network, I put a Win2003 server on access layer. After 24 hours, the software firewall on it recorded about 10,0000 scan&attack attemps. Arbor says its product build up traffic model before identify DoS, while DoS may have been on its peak point when Arbor's box is building up its traffic model!! So, how can we do with DoS in ISP network? --- "David J. Hughes" <bambi () hughes com au> wrote:
On 04/03/2005, at 5:17 AM, Chris Roberts wrote:I know you said not Arbor, but I'd second thisopinion. I used Arborat a medium-sized European ISP and it was fantastic atthe job. Just in thetrial period found a lot of smaller DoS attacks on ournetwork that wedidn't even know were there, and this was without a particularbaseline. I thinkthe development time you'd spend building somethinglike (we tried buildingsimilar with cflowd et al) would outweigh thecosts... This is alwaysa moot point if you don't have the cash though I guess:-) Another option on the commercial front is from Esphion in New Zealand (www.esphion.com). I've been involved with deploying their products at a large hosting provider in Australia and I've been very impressed with the performance and reliability. It's now an integral part (if not the corner stone) of our DOS mitigation procedure. Good bit of kit. David ...
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Current thread:
- Is current DDoS detecting method effective? Joe Shen (Mar 06)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 07)
- Re: Is current DDoS detecting method effective? Kim Onnel (Mar 07)
- Re: Is current DDoS detecting method effective? Jared Mauch (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- <Possible follow-ups>
- Re: Is current DDoS detecting method effective? Fergie (Paul Ferguson) (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 06)