nanog mailing list archives

Re: DDOS, IDS, RTBH, and Rate limiting

From: Robert Duffy <rob () esecuredata com>
Date: Thu, 20 Nov 2014 19:00:49 -0800

I've been using NTOP for couple of years.  I'm mostly looking for something
that can quickly detect DDoS attacks in a datacenter environment.  Thanks
for the suggestions.  I"ll check them out.

On Thu, Nov 20, 2014 at 6:50 PM, Tim Jackson <jackson.tim () gmail com> wrote:

I highly recommend pmacct and it's in-memory tables. Lightweight, easy to
query and super fast.

You can also easily run multiple aggregates of traffic to find what you are
interested in, tag common interface types to easily filter traffic..

Or you can use pmacct to insert this into whatever database you want, AMQP
or MongoDB..

My current favorite is using an IMT table for DoS detection and another for
aggregates for interesting traffic types and querying this every X minutes
and inserting it into ElasticSearch. Kibana makes the most powerful netflow
dashboard ever.

--
Tim
On Nov 20, 2014 6:39 PM, "Roland Dobbins" <rdobbins () arbor net> wrote:


On 21 Nov 2014, at 9:19, Robert Duffy wrote:

 What open-source NetFlow analysis tools would you recommend for quickly

detecting a DDoS attack?


I generally recommend that folks get started with something like
nfdump/nfsen or ntop.  There are other, more sophisticated tools out

there,

but these allow one to get up and running quickly, and to gain valuable
operational experience with which to evaluate more sophisticated tools,

if

they're needed.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>




-- 
Regards,
Rob
------------------------------------------------------------
--------------------
Robert Duffy
eSecureData.com Inc.
1478 Hartley Ave.
Coquitlam, BC V3K 7A1
T: (800) 620-1985
F: (800) 620-1986

This communication is intended for the use of the recipient to which it is
addressed, and may contain confidential, personal and or privileged
information. Please contact the sender immediately if you are not the
intended recipient of this communication, and do not copy, distribute, or
take action relying on the contents herein. Any communication received in
error, or subsequent reply, should be deleted or destroyed.

Current thread:

Re: DDOS, IDS, RTBH, and Rate limiting, (continued)
- Re: DDOS, IDS, RTBH, and Rate limiting srn . nanog (Nov 08)
  - Re: DDOS, IDS, RTBH, and Rate limiting Paul S. (Nov 09)
- Re: DDOS, IDS, RTBH, and Rate limiting Joe Chisolm (Nov 09)
- DDOS, IDS, RTBH, and Rate limiting Pavel Odintsov (Nov 20)
  - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Tim Jackson (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Paul S. (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
    - Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 21)
    - Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
  - Re: DDOS, IDS, RTBH, and Rate limiting Data Zone (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Avi Freedman (Nov 20)
  - Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
    - Re: DDOS, IDS, RTBH, and Rate limiting Peter Phaal (Nov 21)
    - Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)

(Thread continues...)