[j-nsp] mitigating dos attack on Juniper M10i

Stefan Fouant sfouant at shortestpathfirst.net
Tue Apr 5 22:48:42 EDT 2011


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jonas Frey (Probe Networks)
> Sent: Tuesday, April 05, 2011 10:24 PM
> To: kwarteng
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
> 
> You dont really need netflow to find the host attacking if its a simple
> attack.

Easier said than done, and he'll need to parse through a lot of output to be able to find the attacking destination.  Having said that, I do agree in a volumetric attack you should see proportionately more traffic going to a particular destination host.

Nonetheless, in this particular user's case I think prefix-specific counters will be a simpler solution as it should be easier to look at the counter data to isolate a particular host rather than having to pour over log data.

But seriously, why anybody in this day and age would be running any network without netflow* visibility is beyond me.

*Full disclosure - I work for a vendor which makes commercial gear and tools in this area.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC




More information about the juniper-nsp mailing list