nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OBESEUS - A new type of DDOS protector

From: William Pitcock <nenolod () systeminplace net>
Date: Tue, 16 Mar 2010 04:13:28 -0500
On Tue, 2010-03-16 at 07:53 +0000, gordon b slater wrote:

Hmm, the "hey! it's open source!" factor doesn't hold much sway in the
network world, no-one will be amazed at that. Many observers are
surprised at the amount of free software employed by ISPs and the
like, but it's certainly no news to insiders. 


Not to mention that it is only "open source for private non-commercial
use only", and is crippled.

Also, Obeseus doesn't seem to be any better then stuff I have made
myself for my own usage and clients' usage.  All it does it look at a
pcap dump and analyze it.

Obeseus is actually worse: it does not work in realtime, the data
structures it uses are not suited to realtime detection, and in a DDoS,
I think this could take several minutes to trigger appropriate events
like IP nullroutes and ACLs etcetera.

The best way to detect DDoS is to run a 30 second rolling average.  If
you're suddenly doing a gigabit inbound within 30 seconds of UDP
traffic, you're probably being DDoSed ;).

William
Previous By Date Next
Previous By Thread Next

Current thread: