Re: Is current DDoS detecting method effective?

[Florian Weimer <fw () deneb enyo de>]

* Kim Onnel:

> So I can safely say that Detecting DDoS attacks is mostly done using
> Netflow data, now the only tool(known) on the market to analyze for
> attacks is Arbor, now besides being expensive, which is a problem for
> Mid-sizes ISPs,

Who qualifies as a mid-sized ISP?  What equipment is typical?

Even the most simple approach, based on sampled Netflow, an
off-the-shelf SQL database (PostgreSQL preferred) and a couple of Perl
scripts can work wonders.  You won't get reliable automated alerts,
but you can run ad-hoc queries to find out what's going on on your
network when something or somebody else has detected a problem.  The
people already doing this probably consider this trivial, so it's not
well documented.  I tried to write something down, but never found the
time to really polish it:

  <http://cert.uni-stuttgart.de/projects/flows/>

DoS detection can be quite hard, especially if you have many
compromised Windows boxes and you can't force the owners to clean them
(because it's too expensive to contact them, for example).  This
results in a lot of background noise and useless flow data, too.  If
there's little background noise, you can use rather straightforward
SQL query that you run periodically.