[123798] in North American Network Operators' Group
Re: OBESEUS - A new type of DDOS protector
daemon@ATHENA.MIT.EDU (William Pitcock)
Tue Mar 16 05:15:52 2010
From: William Pitcock <nenolod@systeminplace.net>
To: gordslater@ieee.org
In-Reply-To: <1268725982.31837.19.camel@ub-g-d2>
Date: Tue, 16 Mar 2010 04:13:28 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 2010-03-16 at 07:53 +0000, gordon b slater wrote:
> Hmm, the "hey! it's open source!" factor doesn't hold much sway in the
> network world, no-one will be amazed at that. Many observers are
> surprised at the amount of free software employed by ISPs and the
> like, but it's certainly no news to insiders.
Not to mention that it is only "open source for private non-commercial
use only", and is crippled.
Also, Obeseus doesn't seem to be any better then stuff I have made
myself for my own usage and clients' usage. All it does it look at a
pcap dump and analyze it.
Obeseus is actually worse: it does not work in realtime, the data
structures it uses are not suited to realtime detection, and in a DDoS,
I think this could take several minutes to trigger appropriate events
like IP nullroutes and ACLs etcetera.
The best way to detect DDoS is to run a 30 second rolling average. If
you're suddenly doing a gigabit inbound within 30 seconds of UDP
traffic, you're probably being DDoSed ;).
William
