[c-nsp] Open-source tools(Flow-tools, Silktools..) for DDoS detection?

[Chris Roberts]

> I used Arbor previously and liked it a lot ... true it was 
> expensive, but it had true value. I have looked at ntop but 
> have not played with it ... I think it looks promissing. 
> Also, you could create your own scripts to calculate pps and 
> provide details on potential DoS attacks ... I've done this 
> prior to going to Arbor ... Arbor scales much better than 
> custom scripts ... but they served the purpose initially.
>  

I know you said not Arbor, but I'd second this opinion. I used Arbor at a
medium-sized European ISP and it was fantastic at the job. Just in the trial
period found a lot of smaller DoS attacks on our network that we didn't even
know were there, and this was without a particular baseline. I think the
development time you'd spend building something like (we tried building
similar with cflowd et al) would outweigh the costs... This is always a moot
point if you don't have the cash though I guess :-)

Like I say, one of our number spent a long time trying to build a DoS
detection algorithm with cflowd and didn't get hugely far I don't believe.
If anyone else has done any work on a project like this, I'd love to see it,
being now at a smaller provider with similar $ restraints.

I was surprised at how inexpensive Arbor was at the time, and if DoS really
are a big problem for you as they were for us, I think the investment speaks
for itself to management.

Cheers,
Chris.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.859 / Virus Database: 585 - Release Date: 14/02/2005