Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is current DDoS detecting method effective?

  • From: Florian Weimer
  • Date: Mon Mar 07 17:08:45 2005

* Jared Mauch:

> 	If you want some "basic" detection, I recommend doing something
> like this:
>
> 	sort by the top "proto+dstip+dstport+tcpflags"
> combination.  The more of these you see, the more it may
> look weird.

You should also run a similar query for source IPs in your netblocks,
particularly one restricted to 25/TCP. 8->

> 	Cisco publishes the netflow datagram specification, so
> you may be able to write an optimized netflow daemon that doesn't
> take up too much cpu/disk/whatnot if you discard the lower
> levels of the "noise".

I wouldn't optimize prematurely.  I was surprised how far you can get
with simple Perl script, a slightly increased socket buffer size for
the receiving UDP socket, and rotating ASCII log files.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.