[c-nsp] Open-source tools(Flow-tools, Silktools..) for DDoS detection?

James MacDonald j4m3sm63 at yahoo.ca
Thu Mar 3 11:39:29 EST 2005


SPD is also another mechanism to help prioritize routing traffic and keep alive traffic in the midst of conjestion that I would recommend ... this is worth a look ... it may be on by default, not sure. 
 
http://www.cisco.com/warp/public/63/spd.html
 
I used Arbor previously and liked it a lot ... true it was expensive, but it had true value. I have looked at ntop but have not played with it ... I think it looks promissing. Also, you could create your own scripts to calculate pps and provide details on potential DoS attacks ... I've done this prior to going to Arbor ... Arbor scales much better than custom scripts ... but they served the purpose initially.
 
Hope that helps.
 
Jim

Sami Joseph <sami.joseph at gmail.com> wrote:
Hi everyone,

I'd like to corrected if i am wrong:

With 3 full OC3s of Internet and a 7600 as gateway, when the number of
pps goes up to 100-200kpps or bandwidth utilization hits the MRTG
roof, and routing protocols get dropped, there is nothing i can do to
stop such attacks, other than detecting the dst. IP and blackholing
it?

Has anyone used tools like flow-tools, silktools, ntop or other
open-source netflow collectors/analyzers to be able to detect the DDoS
src/dst of attacks, Not Arbor PeakFlow nor Stealthflow XE(Expensive..)

Will they do the job ?

Should i just Export from the gateway or its better to export from PE routers ?
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


------------------------------
Jim MacDonald
jamesm at allstream.net
------------------------------


---------------------------------
Post your free ad now! Yahoo! Canada Personals


More information about the cisco-nsp mailing list