From: Peter Cooper (comrade@obverse.com.au)
Date: Thu Feb 06 2003 - 00:20:14 PST
Hi
> It is my intention to use netflow and cflowd to try to
> track DoS attacks.
>
> It makes sense to me that there must be some functionality
> out there to examine the flows and traffic and if a certain IP
> is receiving a large amount of traffic/flows (which perhaps the
> operator can specify a threshold) that the system could let you
> know.
>
> Does anyone know how and if this is possible?
Martin van den Nieuwelaar <martin@gadgets.co.nz> actually implemented
this for a global telecomms carrier a few years ago. I used the software
and can confirm it was very useful.
The general architecture was a set of sensors (NetFlow-enabled routers),
some collectors (small Linux boxes from memory) which were geographically
distributed and which summarised the NetFlow data and made it available
to a central database on a regular basis. He had added a near-real-time
(every 5 minutes?) "high connection rate to destination" reporting which
was correlated centrally and reported via a web interface. Fairly nifty.
I'm sure his company is offering something significantly more sophisticated
now.
Regards
Peter
_______________________________________________
Cflowd mailing list
Cflowd@caida.org
http://login.caida.org/mailman/listinfo/cflowd
This archive was generated by hypermail 2.1.4 : Thu Feb 06 2003 - 00:26:18 PST