[nsp] NetFlow and DoS attacks - tuning
Roland Dobbins
rdobbins at cisco.com
Thu Dec 18 13:11:12 EST 2003
There's an open source project called Panoptis - I haven't worked with
it, myself, and am unsure of the development status:
http://panoptis.sourceforge.net/
Using the OSU flow-tools in conjunction with FlowScan (both open
source) yields a lot of valuable information, and that certainly can
indicate sudden increases (or decreases) in various types of traffic
which may be indicative of a DoS:
http://www.linuxgeek.org/netflow-howto.php
Any tool which provides visibility into traffic patterns (i.e., so one
has an idea of what's normal) certainly has an application in detecting
and characterizing DoS attacks. Besides Arbor and Panoptis, I'm
unaware of any other tools which are specifically designed to use
NetFlow to detect and characterize DoS.
On Dec 17, 2003, at 1:33 PM, Volodymyr Yakovenko wrote:
> On Wed, Dec 17, 2003 at 12:31:28AM -0800, Roland Dobbins wrote:
>> Arbor Networks (http://www.arbornetworks.com) provide commercial
>> anomaly-detection and traffic-analysis systems which make use of
>> NetFlow quite effectively, in my experience. Specifically, Arbor
>> Peakflow DoS is the anomaly-detection solution.
>
> Yes, great product (according to Arbor Cisco is one of their customers
> :-),
> and HUGE price.
>
> Does anyone know any (cheaper) alternatives?
>
> --
> Regards,
> Volodymyr.
>
>
---------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
More information about the cisco-nsp
mailing list