Re: DDOS, IDS, RTBH, and Rate limiting

["Paul S." <contact () winterei se>]

WANguard from andrisoft has worked well on this for us.

It supports flow telemetry and mirrored ports both (We use flows 
strictly), and does what it says it does.

No complaints.

On 11/21/2014 午後 12:00, Robert Duffy wrote:
> I've been using NTOP for couple of years.  I'm mostly looking for something
> that can quickly detect DDoS attacks in a datacenter environment.  Thanks
> for the suggestions.  I"ll check them out.
>
> On Thu, Nov 20, 2014 at 6:50 PM, Tim Jackson <jackson.tim () gmail com> wrote:
>
> > I highly recommend pmacct and it's in-memory tables. Lightweight, easy to
> > query and super fast.
> >
> > You can also easily run multiple aggregates of traffic to find what you are
> > interested in, tag common interface types to easily filter traffic..
> >
> > Or you can use pmacct to insert this into whatever database you want, AMQP
> > or MongoDB..
> >
> > My current favorite is using an IMT table for DoS detection and another for
> > aggregates for interesting traffic types and querying this every X minutes
> > and inserting it into ElasticSearch. Kibana makes the most powerful netflow
> > dashboard ever.
> >
> > --
> > Tim
> > On Nov 20, 2014 6:39 PM, "Roland Dobbins" <rdobbins () arbor net> wrote:
> >
> > > On 21 Nov 2014, at 9:19, Robert Duffy wrote:
> > >
> > >   What open-source NetFlow analysis tools would you recommend for quickly
> > > > detecting a DDoS attack?
> > > I generally recommend that folks get started with something like
> > > nfdump/nfsen or ntop.  There are other, more sophisticated tools out
> > there,
> > > but these allow one to get up and running quickly, and to gain valuable
> > > operational experience with which to evaluate more sophisticated tools,
> > if
> > > they're needed.
> > >
> > > -----------------------------------
> > > Roland Dobbins <rdobbins () arbor net>