[c-nsp] Netflow opensource analyzers for DDoS

Mike network at infinity77.net
Sun Nov 14 23:22:40 EST 2004


I use a setup based on the steps at netflowguide.com
It provides me with a graphical view of our network traffic as well as 
html reports on our toptalkers, top by AS and top by AS path. I got the 
top by AS and AS Path by using campusIO module...very nice. 
I use a regular onboard nic with 100Mps port to collect the flow 
stats...we do about 700Mbps of traffic on average and using time based 
sampling with a rate of 64 works great for me.



Kim Onnel wrote:

>Dear All,
>
>I would like to monitor our ingress OC3 for DoS/DDoS attacks towards
>our customers, in order to identify Src/Dst of attacks and take
>further action,
>
>Have to mention, i am low on resources, so i can not buy Cisco guard
>TX for e.g. nor Arbor peakflow,
>
>All i have in hand is a cheap PC(Pentium4/512 RAM/120GB HDD) and my
>choice of opensource OS and Netflow analyzers,
>
>Can anyone give me their 2 cents on their experience with similar
>setup, there are currently too many tools, but they're not DDoS
>costumized,
>however, one could use some intelligence and make use,
>
>On my mind are a couple of questions,
>
>-Like where should the machine be located < as close as possible to
>the exporting router
>-Sampling rate?
>-Freebsd or debian?
>-Any recommended NIC for the large volumes of data ?
>
>e.g.:
>http://panoptis.sourceforge.net/
>http://silktools.sourceforge.net/
>ntop
>cflowd+flow-tools
>http://freshmeat.net/projects/glflow/
>http://stager.uninett.no/
>
>Kind Regards 
>~Kim
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>



More information about the cisco-nsp mailing list