North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Is current DDoS detecting method effective?
- From: Florian Weimer
- Date: Mon Mar 07 17:08:45 2005
* Jared Mauch:
> If you want some "basic" detection, I recommend doing something
> like this:
> sort by the top "proto+dstip+dstport+tcpflags"
> combination. The more of these you see, the more it may
> look weird.
You should also run a similar query for source IPs in your netblocks,
particularly one restricted to 25/TCP. 8->
> Cisco publishes the netflow datagram specification, so
> you may be able to write an optimized netflow daemon that doesn't
> take up too much cpu/disk/whatnot if you discard the lower
> levels of the "noise".
I wouldn't optimize prematurely. I was surprised how far you can get
with simple Perl script, a slightly increased socket buffer size for
the receiving UDP socket, and rotating ASCII log files.