[69115] in North American Network Operators' Group
Re: Redirecting mail (Re: Throttling mail)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Mar 25 17:47:04 2004
To: Adi Linden <adil@adis.on.ca>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 25 Mar 2004 14:43:33 CST."
<Pine.LNX.4.44.0403251435370.27911-100000@adibox.knet.ca>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 25 Mar 2004 17:45:12 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1312641952P
Content-Type: text/plain; charset=us-ascii
On Thu, 25 Mar 2004 14:43:33 CST, Adi Linden said:
> Where is something like this documented and explained?
If your customer-facing routers/switches are able to generate flow statistics,
it's a Small Matter Of Programming to have something catch said data and do the
analysis. You might need some semi-studly backend systems, but the basic idea
isn't any more complicated than a 'cut | sort | uniq -c | sort -nr | head'
pipeline.
As a data point, some 200 of our boxes got nailed by Witty, and the flow data
for udp/4000 for 3/19 and 3/20 was 18GB. Of course, since essentially each
packet ended up being a separate flow, this was a very worst case scenario (one
box alone did 3M flows in 1 hour, but it was on a 100Mbit port). Expect much
lower numbers of flows from even the most ambitious cablemodem or DSL based
spambot. ;)
--==_Exmh_1312641952P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAY2D4cC3lWbTT17ARAg++AKCHzBOfJEJc9xesUX/Kb9Y3LvCsugCeOJuW
pW2OXrKGP9LE82PjVS0xkTM=
=6a/w
-----END PGP SIGNATURE-----
--==_Exmh_1312641952P--
