[nsp] NetFlow and DoS attacks - tuning

Jeff Nelson jnelson at rackspace.com
Sat Dec 20 15:36:45 EST 2003


This should be discussed on "discuss".

But just as a side, we use Arbor as well. It is not for everybody. The problem with the homegrown setups is scalability--watching about a /14 across a few datacenters and about 6Gb of various piples will choke about any database trying to do something in semi-realtime. I worked for a while trying to implement a cflowd/flowscan setup, but I came to a point where I had to either get it to understand some serious sampling or implement a very distributed solution with some sort of event viewer. If I had my choice, I probably would have gone with the homegrown solution, but we needed the working product immediately and the execs didn't want to add salaries to support more internally developed software.

If someone has made some decent progress in this area, I would be interested in hearing about it.

--j

Volodymyr Yakovenko(vovik at dumpty.org)@03/12/19 17:48:
> On Fri, Dec 19, 2003 at 09:23:13AM +0000, neil at COLT.NET wrote:
> >> Does anyone know any (cheaper) alternatives?
> >
> >Define cheaper? something that has a visible cost? or an invisible 
> >hidden cost? We use Arbor here and I have to say its a very
> >good product.
> 
> Dear Roland,
> 
>  What I need - is some tool, to gather NetFlow statistic from our access 
>  routers, and perform the following:
> 
> 1. Some kind of almost-real-time IDS for general Worms/DOS detection.
> 2. Flows history database for post incident investigations.
> 
>  I also need something to query flows history database for identifying
>  typical data patterns from one set of hosts to another set of hosts during 
>  some period of time with kind of statisctical analysis.
> 
>  It looks like Arbour is able to do all mentioned above. However price of such
>  solution can easily exceed price of your routers.
> 
>  Not all companies such big as Cisco, international banks or oil companies.
> 
> -- 
> Regards,
> Volodymyr.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jeff Nelson
Rackspace Managed Hosting
Office: (210) 892 4025 x1601
GnuPG KeyID: 0x7DE7C4E0 @pgp.mit.edu
AS Caretaker: 10532 15395 25897 27357 30099


More information about the cisco-nsp mailing list