Re: [Cflowd] Tracking DoS Attacks

From: Peter Cooper (
Date: Thu Feb 06 2003 - 00:20:14 PST

  • Next message: Stefan Watermann: "[Cflowd] cflowdmux[21307]: [E] bogus agg_method (8) for v8"


    > It is my intention to use netflow and cflowd to try to
    > track DoS attacks.
    > It makes sense to me that there must be some functionality
    > out there to examine the flows and traffic and if a certain IP
    > is receiving a large amount of traffic/flows (which perhaps the
    > operator can specify a threshold) that the system could let you
    > know.
    > Does anyone know how and if this is possible?

    Martin van den Nieuwelaar <> actually implemented
    this for a global telecomms carrier a few years ago. I used the software
    and can confirm it was very useful.

    The general architecture was a set of sensors (NetFlow-enabled routers),
    some collectors (small Linux boxes from memory) which were geographically
    distributed and which summarised the NetFlow data and made it available
    to a central database on a regular basis. He had added a near-real-time
    (every 5 minutes?) "high connection rate to destination" reporting which
    was correlated centrally and reported via a web interface. Fairly nifty.

    I'm sure his company is offering something significantly more sophisticated



    Cflowd mailing list

    This archive was generated by hypermail 2.1.4 : Thu Feb 06 2003 - 00:26:18 PST