[175026] in North American Network Operators' Group
Re: netfilter/iptables synproxy; need help deciding
daemon@ATHENA.MIT.EDU (Paige Thompson)
Wed Oct 8 11:32:04 2014
X-Original-To: nanog@nanog.org
Date: Wed, 08 Oct 2014 18:24:32 +0300
From: Paige Thompson <paigeadele@gmail.com>
To: Roland Dobbins <rdobbins@arbor.net>,
"nanog@nanog.org list" <nanog@nanog.org>
In-Reply-To: <158C57C2-2642-4736-A9D6-7C9C356C7A4B@arbor.net>
Errors-To: nanog-bounces@nanog.org
On 10/08/14 17:54, Roland Dobbins wrote:
> On Oct 8, 2014, at 9:43 PM, Paige Thompson <paigeadele@gmail.com> wrote:
>
>> Any thoughts on this are appreciated,
> <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
>
> <https://app.box.com/s/e6hdt0iansu1sdb6m42t> pp. 30-36.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Equo ne credite, Teucri.
>
> -- Laocoön
>
Re pp: 30-36 I think I catch your drift (ie: using cisco netflow to
detect a synflood?) but would you care to summarize just in case because
I am not this savvy, but would like to understand.
Also in regards to snort inline, I've been trying to figure out whether
or not Snort/DAQ/NFQ (netfilter) is appropriate or not. I cannot get
this to work but it seems like on a gatway, for example where I have all
of this iptables stuff that NFQ would be appropriate and would probably
help with all of the false positives (3 way handshake and a couple of
others) I see when trying to use the pcap driver (the only one that will
work.)
