nanog mailing list archives
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
From: Jared Mauch <jared () puck Nether net>
Date: Tue, 21 Jul 2015 09:36:03 -0400
On Tue, Jul 21, 2015 at 08:07:34AM -0500, Rafael Possamai wrote:
Has anyone tried to implement real-time SQC in their network? You can calculate summary statistics and use math to determine if traffic is "normal" or if there's a chance it's garbage. You won't be able to notice one-off attacks, but anything that repeats enough times should pop up. Facebook uses similar technology to figure out what kind of useless news to display on your feed. In summary, instead of blocking an entire country, we should be able to analyze traffic as it comes, and determine a DDoS attack without human intervention.
We profile the protocols on our network so understand what the level
of UDP, ICMP, IPv6, etc are. It's easy to pick out spikes in the graphs
that are related to attacks. Setting thresholds related to this to minimize
impact for customers is important as it eliminates the garbage that
networks carry and reduce the impact to sites that are under attack.
- Jared
--
Jared Mauch | pgp key available via finger from jared () puck nether net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours, (continued)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Curtis Maurand (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Pavel Odintsov (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Pavel Odintsov (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Mike Hammett (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Curtis Maurand (Jul 21)
- RE: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Tony Wicks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Christopher Morrow (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Mike Hammett (Jul 21)