Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Jared Mauch <jared () puck nether net>]

> On Sep 26, 2016, at 7:58 PM, Christopher Morrow <morrowc.lists () gmail com> wrote:
>
> On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka () isc org> wrote:
>
> > Giving them real time access to the anomalous traffic log feed for
> > their residence would also help.  They or the specialist they bring
> > in will be able to use that to trace back the problem.
> wouldn't this work better as a standard bit of CPE software capability?
> wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE
> and kept for ~30mins (just guessing) in a circular buffer be 'good enough'
> to present a pretty clear UI to the user?
>
> ip/mac/vendor sending (webtraffic|email|probes) to destination-name
> [checkbox]
> <repeat>
>
>
> select those youd' like to block [clickhere]
>
> This really doesn't seem hard, to present in a fairly straight forward
> manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
> similar to this approach... but on the other hand:
>  "At least my ISP isn't snooping on all my traffic"

The UBNT Edgerouter series has this.  You can get fancy graphs and application
breakdown.

Scroll down and check the images:

https://help.ubnt.com/hc/en-us/articles/204951104-EdgeMAX-Deep-Packet-Inspection-Engine-for-EdgeRouter

You can see the hosts that are doing traffic and the destinations.

They even have a model that takes a SFP so you can use it as CPE for FTTH.

- Jared