[c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard

Charles Wyble charles at thewybles.com
Sun Mar 15 13:43:14 EDT 2009



Roland Dobbins wrote:
> 
> On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
> 
>> Also, without a dedicated DDoS system deployed, what is the most 
>> reliable/fastest way to determine the destination(s) of the attacks 
>> (SNMP, NetFlow, etc)?
> 
> With or without a dedicated DDoS mitigation system, NetFlow-based 
> anomaly-detection is generally considered to be the most scalable 
> solution which provides network visibility of 
> inbound/outbound/crossbound traffic.


Indeed. It is built right into the gear which is nice. :) You could also 
look at Ciso Flexible Packet Matching ( 
http://www.cisco.com/en/US/products/ps6723/index.html) ... it's more of 
a snort type solution.


> 
>> Any particular software tools which are helpful for detecting this, 
>> NetFlow for us has been slightly difficult to use for this task mainly 
>> because we haven't found software that is really designed for security 
>> rather than performance (would be nice if it did both?)
> 
> Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe 
> are three commercial NetFlow-based anomaly-detection systems.  There's a 
> free (but not open-source, AFAIK) system which has recently been 
> released on Windows (*NIX to come later); I haven't played with it 
> myself, but here's a link:
> 
> <http://www.akmalabs.com/downloads_flowmatrix.php>


Also check out ntop. From 
http://www.simpleweb.org/tutorials/implementation/ntop/ntopa2.html

   2.4 Detection of Network Security Violations

In networks, most of the security attacks come from the network itself. 
For this reason ntop provides the users support for both tracking 
ongoing attacks and identifying potential security holes including IP 
spoofing, network cards in promiscuous mode, denial of service attacks, 
trojan horses (that use well known ports) and portscan attacks.

When a security violation or a network misconfiguration is identified, 
ntop offers facilities to generate alarms for the network operator (via 
e-mail, SNMP traps or Short Messaging Systems) and to perform specific 
actions (when applicable) in order to block the attack. As it is also 
possible to keep traffic information stored into a database, the records 
can be used to understand the attack and prevent further similar 
occurrences. Further information on the use of ntop for security 
purposes is available on [7].

It is important to note that ntop, as well as other monitoring tools, 
might pose security threats if not installed and configured properly. 
Free access to ntop's web interface will allow any user with web access 
to read all the information provided by ntop, gaining knowledge about 
the network that would not be disclosed otherwise.



> 
>> Either systems/techniques that automatically mitigate or systems that 
>> simply recommend mitigation steps/alert are both being evaluated.
> 
> I'm generally not a big fan of automatic mitigation, except possibly in 
> some very limited situations/domains, as there's always the possibility 
> it could be gamed.

Indeed. Your signature is very appropriate here. :)

> 
>   Some things are just too precious to entrust to computers.


Like say getting yelled at/fired by the boss cause you knocked off a 
large portion of your customers due to a missed condition in your 
script. :)




More information about the cisco-nsp mailing list