nanog mailing list archives
Re: Is current DDoS detecting method effective?
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 07 Mar 2005 23:02:15 +0100
* Kim Onnel:
So I can safely say that Detecting DDoS attacks is mostly done using Netflow data, now the only tool(known) on the market to analyze for attacks is Arbor, now besides being expensive, which is a problem for Mid-sizes ISPs,
Who qualifies as a mid-sized ISP? What equipment is typical? Even the most simple approach, based on sampled Netflow, an off-the-shelf SQL database (PostgreSQL preferred) and a couple of Perl scripts can work wonders. You won't get reliable automated alerts, but you can run ad-hoc queries to find out what's going on on your network when something or somebody else has detected a problem. The people already doing this probably consider this trivial, so it's not well documented. I tried to write something down, but never found the time to really polish it: <http://cert.uni-stuttgart.de/projects/flows/> DoS detection can be quite hard, especially if you have many compromised Windows boxes and you can't force the owners to clean them (because it's too expensive to contact them, for example). This results in a lot of background noise and useless flow data, too. If there's little background noise, you can use rather straightforward SQL query that you run periodically.
Current thread:
- Is current DDoS detecting method effective? Joe Shen (Mar 06)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 07)
- Re: Is current DDoS detecting method effective? Kim Onnel (Mar 07)
- Re: Is current DDoS detecting method effective? Jared Mauch (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- <Possible follow-ups>
- Re: Is current DDoS detecting method effective? Fergie (Paul Ferguson) (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 06)