Re: DDOS, IDS, RTBH, and Rate limiting

[Pavel Odintsov <pavel.odintsov () gmail com>]

Hello, folks!

Thank you for a very useful feedback! I'm so sorry for my negative
vision of netflow :( It's nice protocol but I haven't equpment with
ability to generate netflow on wire speed and I use mirror/SPAN
instead.

I competely redesigned attack-analyzer subsystem and can process
sampled data now. I just added sFLOW v5 suport to FastNetMon and you
can try it now. In near future I will add netflow v5 support.

With sFLOW support my tool can detect attack on 40-100GE links and
more! Thanks for sFLOW architecture!  :)

You can check new version here: https://github.com/FastVPSEestiOu/fastnetmon

Thank you!

On Sun, Nov 23, 2014 at 2:53 AM, Brian Rak <brak () gameservers com> wrote:
> On 11/22/2014 11:18 AM, Denys Fedoryshchenko wrote:
> > On 2014-11-22 18:00, freedman () freedman net wrote:
> > > We see a lot of Brocade for switching in hosting providers, which makes
> > > sFlow easy, of course.
> >
> > Oh, Brocade, recent experience with ServerIron taught me new lesson, that
> > i can't
> > do bonding on ports as i want, it has limitations about even/odd port
> > numbers and
> > etc.
> > Most amazing part i just forgot, that i have this ServerIron, and it is a
> > place where
> > i run DDoS protection (but it works perfectly over "tap" way). Thanks for
> > reminding
> > about this vendor :)
>
>
> I just hope you're not talking FCX's.... if you upgrade those to 8.x
> firmware, you'll lose sflow on the 10gb ports.  Once you upgrade, they send
> a corrupted sflow packet, and at *far* less then the rate that you
> configure.  Even if you adjust your parser to compensate for the corrupt
> packet, they're still dropping the large majority of samples, making sflow
> pretty much useless.
>
> It's been several months since we reported this, and we're still waiting on
> a fix.



-- 
Sincerely yours, Pavel Odintsov