[78534] in North American Network Operators' Group
Re: Is current DDoS detecting method effective?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Mar 7 17:08:05 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Jared Mauch <jared@puck.nether.net>
Cc: Kim Onnel <karim.adel@gmail.com>, NANGO <nanog@merit.edu>
Date: Mon, 07 Mar 2005 23:07:27 +0100
In-Reply-To: <20050307201340.GB58165@puck.nether.net> (Jared Mauch's message
of "Mon, 7 Mar 2005 15:13:40 -0500")
Errors-To: owner-nanog@merit.edu
* Jared Mauch:
> If you want some "basic" detection, I recommend doing something
> like this:
>
> sort by the top "proto+dstip+dstport+tcpflags"
> combination. The more of these you see, the more it may
> look weird.
You should also run a similar query for source IPs in your netblocks,
particularly one restricted to 25/TCP. 8->
> Cisco publishes the netflow datagram specification, so
> you may be able to write an optimized netflow daemon that doesn't
> take up too much cpu/disk/whatnot if you discard the lower
> levels of the "noise".
I wouldn't optimize prematurely. I was surprised how far you can get
with simple Perl script, a slightly increased socket buffer size for
the receiving UDP socket, and rotating ASCII log files.
