[176267] in North American Network Operators' Group
Re: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Tim Jackson)
Fri Nov 21 13:32:40 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <152f858caf81487786df0e986a573b1c@visp.net.lb>
Date: Fri, 21 Nov 2014 10:32:32 -0800
From: Tim Jackson <jackson.tim@gmail.com>
To: Denys Fedoryshchenko <denys@visp.net.lb>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..
--
Tim
On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko <denys@visp.net.lb> wrote:
> On 2014-11-21 18:41, Peter Phaal wrote:
>>>>
>>>> Actually, sFlow from many vendors is pretty good (per your points about
>>>> flow
>>>> burstiness and delays), and is good enough for dDoS detection.  Not for
>>>> security forensics, or billing at 99.99% accuracy, but good enough for
>>>> traffic visibility, peering analytics, and (d)DoS detection.
>>>
>>>
>>> Well, if it is available, except hardware limitations, there is second
>>> obstacle,
>>> software licensing cost. On latest JunOS, for example on EX2200, you need
>>> to purchase license (EFL), and if am not wrong it is $3000 for 48port
>>> units.
>>> So if only sFlow feature is on stake, it worth to think, to purchase
>>> license,
>>> or to purchase server.
>>
>>
>> Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):
>>
>>
>> http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf
>>
>> I am not aware of any vendor requiring an additional license to enable
>> sFlow.
>>
>> sFlow (packet sampling) works extremely well for the DDoS flood
>> detection / mitigation use case. The measurements are build into low
>> cost commodity switch hardware and can be enabled operationally
>> without adversely impacting switch performance.  A flood attack
>> generates high packet rates and sampling a 10G port at 1-in-10,000
>> will reliably detect flood attacks within seconds.
>>
>> For most use cases, it is much less expensive to use switches to
>> perform measurement than to attach taps / mirror port probes. If your
>> switches don't already support sFlow, you can buy a 10G capable white
>> box switch for a few thousand dollars that will let you monitor 1.2
>> Terabits/sec. If you go with an open platform such as Cumulus Linux,
>> you could even run your DDoS mitigation software on the switch and
>> dispense with the external server. Embedded instrumentation is simple
>> to deploy and reduces operational complexity and cost when compared to
>> add on probe solutions.
>>
>> Peter Phaal
>> InMon Corp.
>
> Wow, that's great news then, i'm using mostly Cisco gear now, but seems will
> have to take a look to Juniper, thanks for information.
> If it is free, then if EX2200 available, it is much easier to run sFlow and
> write custom collector for it, than installing custom probe(in most common
> cases).
>
> ---
> Best regards,
> Denys