Re: [Cflowd] Tracking DoS Attacks

From: Martin van den Nieuwelaar (martin@gadgets.co.nz)
Date: Tue Mar 04 2003 - 00:50:28 PST

  • Next message: Kris Amy: "[Cflowd] Cflowd setup."

    Hi Holt,

    >>It is my intention to use netflow and cflowd to try to
    >>track DoS attacks.
    >>
    >>It makes sense to me that there must be some functionality
    >>out there to examine the flows and traffic and if a certain IP
    >>is receiving a large amount of traffic/flows (which perhaps the
    >>operator can specify a threshold) that the system could let you
    >>know.
    >>
    >>Does anyone know how and if this is possible?

    Indeed, as Peter mentions it is possible. What I created was something
    that would detect DDoS attacks. If you are happy with just DoS
    detection you could use a single collector and process the output from
    that in some meaningful way.

    Regards,

    -Martin

    > Martin van den Nieuwelaar <martin@gadgets.co.nz> actually implemented
    > this for a global telecomms carrier a few years ago. I used the software
    > and can confirm it was very useful.
    >
    > The general architecture was a set of sensors (NetFlow-enabled routers),
    > some collectors (small Linux boxes from memory) which were geographically
    > distributed and which summarised the NetFlow data and made it available
    > to a central database on a regular basis. He had added a near-real-time
    > (every 5 minutes?) "high connection rate to destination" reporting which
    > was correlated centrally and reported via a web interface. Fairly nifty.
    >
    > I'm sure his company is offering something significantly more sophisticated
    > now.
    >
    > Regards
    >
    > Peter
    >
    > _______________________________________________
    > Cflowd mailing list
    > Cflowd@caida.org
    > http://login.caida.org/mailman/listinfo/cflowd
    >

    -- 
    Martin van den Nieuwelaar
    Expert traffic measurement and visualisation
    www.networkintelligence.biz
    

    _______________________________________________ Cflowd mailing list Cflowd@caida.org http://login.caida.org/mailman/listinfo/cflowd



    This archive was generated by hypermail 2.1.4 : Tue Mar 04 2003 - 01:21:05 PST