Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is current DDoS detecting method effective?

  • From: Florian Weimer
  • Date: Mon Mar 07 17:04:38 2005

* Kim Onnel:

> So I can safely say that Detecting DDoS attacks is mostly done using
> Netflow data, now the only tool(known) on the market to analyze for
> attacks is Arbor, now besides being expensive, which is a problem for
> Mid-sizes ISPs,

Who qualifies as a mid-sized ISP?  What equipment is typical?

Even the most simple approach, based on sampled Netflow, an
off-the-shelf SQL database (PostgreSQL preferred) and a couple of Perl
scripts can work wonders.  You won't get reliable automated alerts,
but you can run ad-hoc queries to find out what's going on on your
network when something or somebody else has detected a problem.  The
people already doing this probably consider this trivial, so it's not
well documented.  I tried to write something down, but never found the
time to really polish it:

  <http://cert.uni-stuttgart.de/projects/flows/>

DoS detection can be quite hard, especially if you have many
compromised Windows boxes and you can't force the owners to clean them
(because it's too expensive to contact them, for example).  This
results in a lot of background noise and useless flow data, too.  If
there's little background noise, you can use rather straightforward
SQL query that you run periodically.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.