nanog mailing list archives
Re: DDOS, IDS, RTBH, and Rate limiting
From: freedman () freedman net (Avi Freedman)
Date: Thu, 20 Nov 2014 23:45:27 -0500 (EST)
Netflow is stateful stuff, and just to run it on wirespeed, on hardware, you need to utilise significant part of TCAM,
Cisco ASRs and MXs with inline jflow can do hundreds of K flows/second without affecting packet forwarding.
i am not talking that on some hardware it is just impossible to run it. So everything about netflow are built on assumption that hosting or ISP can run it. And based on some observations, majority of small/middle hosting providers are using minimal,just BGP capable L3 switch as core, and cheapest but reliable L2/L3 on aggregation, and both are capable in best case to run sampled sFlow.
Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. <snip>
So for a small hosting(up to 10G), i believe, FastNetMon is best solution. Faster, and no significant investments to equipment. Bigger hosting providers might reuse their existing servers, segment the network, and implement inexpensive monitoring on aggregation switches without any additional cost again.
It can be useful to have a 10G network monitoring box of course... And with the right setup you can run FastNetMon or other tools in addition to generating flow that can be of use for other purposes as well...
Ah, and there is one more huge problem with netflow vs FastNetMon - netflow just by design cannot be adapted to run pattern matching, while it is trivial to patch FastNetMon for that, turning it to mini-IDS for free.
It's true, having a network tap can be useful for doing PCAP-y stuff. But taps can be difficult or at least time consuming for people to put in at scale. Even, we've seen, for folks with 10G networks. Often because they can get 90% of what they need for 4 different business purposes from just flow :)
Best regards, Denys
Avi Freedman | Your flow has something to show you; can you see it? | CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |
Current thread:
- Re: DDOS, IDS, RTBH, and Rate limiting, (continued)
- Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Tim Jackson (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Robert Duffy (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Paul S. (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 20)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Peter Phaal (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Tim Jackson (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 21)
- Re: DDOS, IDS, RTBH, and Rate limiting Denys Fedoryshchenko (Nov 22)
- Re: DDOS, IDS, RTBH, and Rate limiting Brian Rak (Nov 22)