nanog mailing list archives
Re: DDOS, IDS, RTBH, and Rate limiting
From: Robert Duffy <rob () esecuredata com>
Date: Thu, 20 Nov 2014 19:00:49 -0800
I've been using NTOP for couple of years. I'm mostly looking for something that can quickly detect DDoS attacks in a datacenter environment. Thanks for the suggestions. I"ll check them out. On Thu, Nov 20, 2014 at 6:50 PM, Tim Jackson <jackson.tim () gmail com> wrote:
I highly recommend pmacct and it's in-memory tables. Lightweight, easy to query and super fast. You can also easily run multiple aggregates of traffic to find what you are interested in, tag common interface types to easily filter traffic.. Or you can use pmacct to insert this into whatever database you want, AMQP or MongoDB.. My current favorite is using an IMT table for DoS detection and another for aggregates for interesting traffic types and querying this every X minutes and inserting it into ElasticSearch. Kibana makes the most powerful netflow dashboard ever. -- Tim On Nov 20, 2014 6:39 PM, "Roland Dobbins" <rdobbins () arbor net> wrote:On 21 Nov 2014, at 9:19, Robert Duffy wrote: What open-source NetFlow analysis tools would you recommend for quicklydetecting a DDoS attack?I generally recommend that folks get started with something like nfdump/nfsen or ntop. There are other, more sophisticated tools outthere,but these allow one to get up and running quickly, and to gain valuable operational experience with which to evaluate more sophisticated tools,ifthey're needed. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
-- Regards, Rob ------------------------------------------------------------ -------------------- Robert Duffy eSecureData.com Inc. 1478 Hartley Ave. Coquitlam, BC V3K 7A1 T: (800) 620-1985 F: (800) 620-1986 This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal and or privileged information. Please contact the sender immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on the contents herein. Any communication received in error, or subsequent reply, should be deleted or destroyed.
Current thread:
- Re: DDOS, IDS, RTBH, and Rate limiting, (continued)
- Re: DDOS, IDS, RTBH, and Rate limiting srn . nanog (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Paul S. (Nov 09)
- Re: DDOS, IDS, RTBH, and Rate limiting Joe Chisolm (Nov 09)
- DDOS, IDS, RTBH, and Rate limiting Pavel Odintsov (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Tim Jackson (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Paul S. (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting srn . nanog (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Peter Phaal (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)