nanog mailing list archives
Re: DDOS, IDS, RTBH, and Rate limiting
From: Denys Fedoryshchenko <denys () visp net lb>
Date: Fri, 21 Nov 2014 21:18:57 +0200
Thanks! Most important there is plugin API,so it is easy to write custom code to do some analysis and on events - actions.
On 2014-11-21 20:32, Tim Jackson wrote:
pmacct includes sfacctd which is an sflow collector.. Accessible via the same methods as it's nfacctd collector or pcap based collector.. -- TimOn Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko <denys () visp net lb> wrote:On 2014-11-21 18:41, Peter Phaal wrote:Actually, sFlow from many vendors is pretty good (per your points aboutflowburstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough fortraffic visibility, peering analytics, and (d)DoS detection.Well, if it is available, except hardware limitations, there is secondobstacle,software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48portunits. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server.Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdfI am not aware of any vendor requiring an additional license to enablesFlow. sFlow (packet sampling) works extremely well for the DDoS flood detection / mitigation use case. The measurements are build into low cost commodity switch hardware and can be enabled operationally without adversely impacting switch performance. A flood attack generates high packet rates and sampling a 10G port at 1-in-10,000 will reliably detect flood attacks within seconds. For most use cases, it is much less expensive to use switches to perform measurement than to attach taps / mirror port probes. If your switches don't already support sFlow, you can buy a 10G capable white box switch for a few thousand dollars that will let you monitor 1.2 Terabits/sec. If you go with an open platform such as Cumulus Linux, you could even run your DDoS mitigation software on the switch and dispense with the external server. Embedded instrumentation is simpleto deploy and reduces operational complexity and cost when compared toadd on probe solutions. Peter Phaal InMon Corp.Wow, that's great news then, i'm using mostly Cisco gear now, but seems willhave to take a look to Juniper, thanks for information.If it is free, then if EX2200 available, it is much easier to run sFlow and write custom collector for it, than installing custom probe(in most commoncases). --- Best regards, Denys
--- Best regards, Denys
Current thread:
- Re: DDOS, IDS, RTBH, and Rate limiting, (continued)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Data Zone (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Peter Phaal (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Tim Jackson (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 22)
- Re: DDOS, IDS, RTBH, and Rate limiting Brian Rak (Nov 22)