North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Is current DDoS detecting method effective?
Hi, I use flow-tools to monitor the link bandwidth utilization on three backbone interfaces. The total bandwidth utilized is about 11Gbps, and netflow data is analyzed to show statistics on some special port (e.g. port 0, port 445 etc.). I think this could give us some indication of possible DoS attach, but it's hard to monitor DoS attack on all hosts or all ports. In fact, I'm not sure whether traffic monitoring could REALLY help to identify some DoS attack, esp. in ISP networks. My questions include: 1) what should be protected in ISP networks? the ISP's own network or both ISP's network and its customers? I think the answer is, ISP should only care about the safety of its own network, which should be overprovisioned ( not only link bandwidth but also CPU/MEM etc.); we could use some technique like reverse route checking and ACL to immunize those core router/switch from DoS. 2) What's the cost should we take to identify any possible DoS in ISP network? I think it will cost a lot if we keep monitoring traffic on all edge routers ( both to backbone network and to customers), because we have to set up traffic monitoring on all interfaces and we have to set up analysis hosts whose ability have to be increased time to time. While the gainback is not obivious ( at least Botnet could not be crashed easily). 3) Is those technique use in current days really effective ? Where can I find some theretical analysis on the method Arbor used to identify DoS? To my experience, network attack is continuous. I do a experiment in our network, I put a Win2003 server on access layer. After 24 hours, the software firewall on it recorded about 10,0000 scan&attack attemps. Arbor says its product build up traffic model before identify DoS, while DoS may have been on its peak point when Arbor's box is building up its traffic model!! So, how can we do with DoS in ISP network? --- "David J. Hughes" <[email protected]> wrote: > > On 04/03/2005, at 5:17 AM, Chris Roberts wrote: > > I know you said not Arbor, but I'd second this > opinion. I used Arbor > > at a > > medium-sized European ISP and it was fantastic at > the job. Just in the > > trial > > period found a lot of smaller DoS attacks on our > network that we > > didn't even > > know were there, and this was without a particular > baseline. I think > > the > > development time you'd spend building something > like (we tried building > > similar with cflowd et al) would outweigh the > costs... This is always > > a moot > > point if you don't have the cash though I guess > :-) > > Another option on the commercial front is from > Esphion in New Zealand > (www.esphion.com). I've been involved with > deploying their products at > a large hosting provider in Australia and I've been > very impressed with > the performance and reliability. It's now an > integral part (if not the > corner stone) of our DOS mitigation procedure. Good > bit of kit. > > > David > ... > __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
|