nanog mailing list archives
Re: Is current DDoS detecting method effective?
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 07 Mar 2005 23:07:27 +0100
* Jared Mauch:
If you want some "basic" detection, I recommend doing something like this: sort by the top "proto+dstip+dstport+tcpflags" combination. The more of these you see, the more it may look weird.
You should also run a similar query for source IPs in your netblocks, particularly one restricted to 25/TCP. 8->
Cisco publishes the netflow datagram specification, so you may be able to write an optimized netflow daemon that doesn't take up too much cpu/disk/whatnot if you discard the lower levels of the "noise".
I wouldn't optimize prematurely. I was surprised how far you can get with simple Perl script, a slightly increased socket buffer size for the receiving UDP socket, and rotating ASCII log files.
Current thread:
- Is current DDoS detecting method effective? Joe Shen (Mar 06)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 07)
- Re: Is current DDoS detecting method effective? Kim Onnel (Mar 07)
- Re: Is current DDoS detecting method effective? Jared Mauch (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Florian Weimer (Mar 07)
- Re: Is current DDoS detecting method effective? Christopher L. Morrow (Mar 06)
- <Possible follow-ups>
- Re: Is current DDoS detecting method effective? Fergie (Paul Ferguson) (Mar 06)
- Re: Is current DDoS detecting method effective? Joe Shen (Mar 06)