Re: [Cflowd] Tracking DoS Attacks

From: Peter Cooper (comrade@obverse.com.au)
Date: Thu Feb 06 2003 - 00:20:14 PST

  • Next message: Stefan Watermann: "[Cflowd] cflowdmux[21307]: [E] bogus agg_method (8) for v8"

    Hi

    > It is my intention to use netflow and cflowd to try to
    > track DoS attacks.
    >
    > It makes sense to me that there must be some functionality
    > out there to examine the flows and traffic and if a certain IP
    > is receiving a large amount of traffic/flows (which perhaps the
    > operator can specify a threshold) that the system could let you
    > know.
    >
    > Does anyone know how and if this is possible?

    Martin van den Nieuwelaar <martin@gadgets.co.nz> actually implemented
    this for a global telecomms carrier a few years ago. I used the software
    and can confirm it was very useful.

    The general architecture was a set of sensors (NetFlow-enabled routers),
    some collectors (small Linux boxes from memory) which were geographically
    distributed and which summarised the NetFlow data and made it available
    to a central database on a regular basis. He had added a near-real-time
    (every 5 minutes?) "high connection rate to destination" reporting which
    was correlated centrally and reported via a web interface. Fairly nifty.

    I'm sure his company is offering something significantly more sophisticated
    now.

    Regards

    Peter

    _______________________________________________
    Cflowd mailing list
    Cflowd@caida.org
    http://login.caida.org/mailman/listinfo/cflowd



    This archive was generated by hypermail 2.1.4 : Thu Feb 06 2003 - 00:26:18 PST