Re: [Cflowd] Tracking DoS Attacks

From: Martin van den Nieuwelaar (
Date: Tue Mar 04 2003 - 00:50:28 PST

  • Next message: Kris Amy: "[Cflowd] Cflowd setup."

    Hi Holt,

    >>It is my intention to use netflow and cflowd to try to
    >>track DoS attacks.
    >>It makes sense to me that there must be some functionality
    >>out there to examine the flows and traffic and if a certain IP
    >>is receiving a large amount of traffic/flows (which perhaps the
    >>operator can specify a threshold) that the system could let you
    >>Does anyone know how and if this is possible?

    Indeed, as Peter mentions it is possible. What I created was something
    that would detect DDoS attacks. If you are happy with just DoS
    detection you could use a single collector and process the output from
    that in some meaningful way.



    > Martin van den Nieuwelaar <> actually implemented
    > this for a global telecomms carrier a few years ago. I used the software
    > and can confirm it was very useful.
    > The general architecture was a set of sensors (NetFlow-enabled routers),
    > some collectors (small Linux boxes from memory) which were geographically
    > distributed and which summarised the NetFlow data and made it available
    > to a central database on a regular basis. He had added a near-real-time
    > (every 5 minutes?) "high connection rate to destination" reporting which
    > was correlated centrally and reported via a web interface. Fairly nifty.
    > I'm sure his company is offering something significantly more sophisticated
    > now.
    > Regards
    > Peter
    > _______________________________________________
    > Cflowd mailing list

    Martin van den Nieuwelaar
    Expert traffic measurement and visualisation

    _______________________________________________ Cflowd mailing list

    This archive was generated by hypermail 2.1.4 : Tue Mar 04 2003 - 01:21:05 PST