Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is current DDoS detecting method effective?

  • From: Christopher L. Morrow
  • Date: Mon Mar 07 01:14:57 2005


On Mon, 7 Mar 2005, Joe Shen wrote:
>
>    To my experience, network attack is continuous. I
> do a experiment in our network, I put a Win2003 server
> on access layer. After 24 hours, the software firewall
> on it recorded about 10,0000 scan&attack attemps.
> Arbor says its product build up traffic model before
> identify DoS, while DoS may have been on its peak
> point when Arbor's box is building up its traffic
> model!!
>

you aren't distinguishing between 'dos attack' and 'scan' or 'probe' or
'welcome to the Internet!' traffic. The Arbor systems may see 'scan'
traffic (depending upon sample rates and traffic loads) and they may
not... They aren't designed to see that, they are designed to: (speaking
of peakflow SP, peakflow Traffic, peakflow DoS only... peakflow X isn't
really a 'provider' solution as much as a 'enterprise' tool)

1) to watch traffic and alarm against thresholds
2) track traffic trends over time
3) report traffic trends over time

(possibly some other things out of scope of this discussion... someone
from Arbor could/should clarify)

Some of your cflowd gathering should also see these things, but they will
need data correlation, something Arbor already went to the trouble of
doing for you... So, define: "attack" and then see if your tool fits that
definition.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.