North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is current DDoS detecting method effective?

  • From: Kim Onnel
  • Date: Mon Mar 07 06:44:43 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=ptGiEqdNZ3EAhnE9kTJ916cMGjX9b+HiGGDy+795m8m6nNvbeyx1oJtAMsNZN2uL/BO+1YwNN51K+ERw99x70kCIssnaQmtSWwf6QoR7JN1RqnGpehwPOTWxzTayqq6ADQx+zArC/DaaXGMOvqR3ibyXv+rCFg6fTji0GjS4Czs=
On Mon, 07 Mar 2005 06:11:35 +0000 (GMT), Christopher L. Morrow
<[email protected]> wrote:

> Some of your cflowd gathering should also see these things, but they will
> need data correlation, something Arbor already went to the trouble of
> doing for you... So, define: "attack" and then see if your tool fits that
> definition.

So I can safely say that Detecting DDoS attacks is mostly done using
Netflow data, now the only tool(known) on the market to analyze for
attacks is Arbor, now besides being expensive, which is a problem for
Mid-sizes ISPs, doing that with open-source tools(cflowd,...) isnt
quite easy for a network engineer, who rarely has programming
experience, thats my problem now, we either need to outsource or buy
Arbor,

I've seen open-source Netflow DDoS specific apps. anyone tried them
(Zazu and Panoptis)

-With the small experience i've gained to work out these tools,
- Zazu is still under devel. but some times reports nice results
- couldnt compile panoptis

Any luck with (stager, Silktools, ntop,...)?

I wish there could be a documented ISPs experience for using
open-source tools to detect DDoS, or a homegrown script that uses
flow-tools to report anomalies.

Any news of undergoing projects or papers for the above, there are too
many on Blackholing, but not how to get the IP to blackhole)

Regards