[81078] in North American Network Operators' Group
Re: IDS/DDOS prevention hardware that doesnt cost $80,000+?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed May 25 10:37:45 2005
Date: Wed, 25 May 2005 10:36:45 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Drew Weaver <drew.weaver@thenap.com>
Cc: nanog@merit.edu
In-Reply-To: <B9ECBF8D89E7684EB63FF250E8788B191194D1@BIGLOG.thenap.com>
Errors-To: owner-nanog@merit.edu
On Wed, May 25, 2005 at 10:45:15AM -0400, Drew Weaver wrote:
> I'm wondering if there is such an animal out there? All of
> the ones I have seen are made for the multi-gigabit service provider
> there aren't any for the smaller mid-rangers out there. Can anyone
> suggest anything that we can put in place? The attacks we're seeing are
> just a huge influx of PPS not so much the amount of bandwidth.
I presume you're already graphing/collecting the pps data on
your interfaces?
You may want to figure out what your normal p95 pps rate is
then configure some snmp system to watch the ifc counters.
you could use something like this:
http://sysmon.org/config.html#snmpTestRate
you of course need to have some underlying snmp data
collection going on, but for watching for traffic bursts or other
types of things (pps or not), there are some free/like-free tools
out there.
Maybe you have some programmers at your place
that can spend a few hours writing some system that would watch
netflow data.. the spec is public here:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
you need to know how to interpret the data, which is why it may
be worthwhile to just pay someone for a system that has already
done it (the analysis) for you..
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
