[182558] in North American Network Operators' Group
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jul 21 09:36:06 2015
X-Original-To: nanog@nanog.org
Date: Tue, 21 Jul 2015 09:36:03 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Rafael Possamai <rafael@gav.ufsc.br>
In-Reply-To: <CAJB2g-E3csjyZM69x+Oe3_CgkW0U=8TvV+GvvmDfzeLXOor39A@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Jul 21, 2015 at 08:07:34AM -0500, Rafael Possamai wrote:
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
>
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.
We profile the protocols on our network so understand what the level
of UDP, ICMP, IPv6, etc are. It's easy to pick out spikes in the graphs
that are related to attacks. Setting thresholds related to this to minimize
impact for customers is important as it eliminates the garbage that
networks carry and reduce the impact to sites that are under attack.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
