[c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard
Roland Dobbins
rdobbins at cisco.com
Sun Mar 15 12:39:57 EDT 2009
On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
> Also, without a dedicated DDoS system deployed, what is the most
> reliable/fastest way to determine the destination(s) of the attacks
> (SNMP, NetFlow, etc)?
With or without a dedicated DDoS mitigation system, NetFlow-based
anomaly-detection is generally considered to be the most scalable
solution which provides network visibility of inbound/outbound/
crossbound traffic.
> Any particular software tools which are helpful for detecting this,
> NetFlow for us has been slightly difficult to use for this task
> mainly because we haven't found software that is really designed for
> security rather than performance (would be nice if it did both?)
Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe
are three commercial NetFlow-based anomaly-detection systems. There's
a free (but not open-source, AFAIK) system which has recently been
released on Windows (*NIX to come later); I haven't played with it
myself, but here's a link:
<http://www.akmalabs.com/downloads_flowmatrix.php>
> Either systems/techniques that automatically mitigate or systems
> that simply recommend mitigation steps/alert are both being evaluated.
I'm generally not a big fan of automatic mitigation, except possibly
in some very limited situations/domains, as there's always the
possibility it could be gamed.
> By mitigation I mean Null routing sources, null routing destinations
> upstream (via communities), et cetera.
Again, think carefully before automating any sort of blackholing or
other mitigation mechanism.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +852.9133.2844 mobile
Some things are just too precious to entrust to computers.
-- Seth Hanford
More information about the cisco-nsp
mailing list