From: Martin van den Nieuwelaar (martin@gadgets.co.nz)
Date: Tue Mar 04 2003 - 00:50:28 PST
Hi Holt,
>>It is my intention to use netflow and cflowd to try to
>>track DoS attacks.
>>
>>It makes sense to me that there must be some functionality
>>out there to examine the flows and traffic and if a certain IP
>>is receiving a large amount of traffic/flows (which perhaps the
>>operator can specify a threshold) that the system could let you
>>know.
>>
>>Does anyone know how and if this is possible?
Indeed, as Peter mentions it is possible. What I created was something
that would detect DDoS attacks. If you are happy with just DoS
detection you could use a single collector and process the output from
that in some meaningful way.
Regards,
-Martin
> Martin van den Nieuwelaar <martin@gadgets.co.nz> actually implemented
> this for a global telecomms carrier a few years ago. I used the software
> and can confirm it was very useful.
>
> The general architecture was a set of sensors (NetFlow-enabled routers),
> some collectors (small Linux boxes from memory) which were geographically
> distributed and which summarised the NetFlow data and made it available
> to a central database on a regular basis. He had added a near-real-time
> (every 5 minutes?) "high connection rate to destination" reporting which
> was correlated centrally and reported via a web interface. Fairly nifty.
>
> I'm sure his company is offering something significantly more sophisticated
> now.
>
> Regards
>
> Peter
>
> _______________________________________________
> Cflowd mailing list
> Cflowd@caida.org
> http://login.caida.org/mailman/listinfo/cflowd
>
-- Martin van den Nieuwelaar Expert traffic measurement and visualisation www.networkintelligence.biz_______________________________________________ Cflowd mailing list Cflowd@caida.org http://login.caida.org/mailman/listinfo/cflowd
This archive was generated by hypermail 2.1.4 : Tue Mar 04 2003 - 01:21:05 PST