Re: DDOS, IDS, RTBH, and Rate limiting

[Tim Jackson <jackson.tim () gmail com>]

pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..

--
Tim

On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko <denys () visp net lb> wrote:
> On 2014-11-21 18:41, Peter Phaal wrote:
> > > > Actually, sFlow from many vendors is pretty good (per your points about
> > > > flow
> > > > burstiness and delays), and is good enough for dDoS detection.  Not for
> > > > security forensics, or billing at 99.99% accuracy, but good enough for
> > > > traffic visibility, peering analytics, and (d)DoS detection.
> > >
> > >
> > > Well, if it is available, except hardware limitations, there is second
> > > obstacle,
> > > software licensing cost. On latest JunOS, for example on EX2200, you need
> > > to purchase license (EFL), and if am not wrong it is $3000 for 48port
> > > units.
> > > So if only sFlow feature is on stake, it worth to think, to purchase
> > > license,
> > > or to purchase server.
> >
> >
> > Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):
> >
> >
> > http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf
> >
> > I am not aware of any vendor requiring an additional license to enable
> > sFlow.
> >
> > sFlow (packet sampling) works extremely well for the DDoS flood
> > detection / mitigation use case. The measurements are build into low
> > cost commodity switch hardware and can be enabled operationally
> > without adversely impacting switch performance.  A flood attack
> > generates high packet rates and sampling a 10G port at 1-in-10,000
> > will reliably detect flood attacks within seconds.
> >
> > For most use cases, it is much less expensive to use switches to
> > perform measurement than to attach taps / mirror port probes. If your
> > switches don't already support sFlow, you can buy a 10G capable white
> > box switch for a few thousand dollars that will let you monitor 1.2
> > Terabits/sec. If you go with an open platform such as Cumulus Linux,
> > you could even run your DDoS mitigation software on the switch and
> > dispense with the external server. Embedded instrumentation is simple
> > to deploy and reduces operational complexity and cost when compared to
> > add on probe solutions.
> >
> > Peter Phaal
> > InMon Corp.
>
> Wow, that's great news then, i'm using mostly Cisco gear now, but seems will
> have to take a look to Juniper, thanks for information.
> If it is free, then if EX2200 available, it is much easier to run sFlow and
> write custom collector for it, than installing custom probe(in most common
> cases).
>
> ---
> Best regards,
> Denys