[j-nsp] mitigating dos attack on Juniper M10i
Stefan Fouant
sfouant at shortestpathfirst.net
Tue Apr 5 22:48:42 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jonas Frey (Probe Networks)
> Sent: Tuesday, April 05, 2011 10:24 PM
> To: kwarteng
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] mitigating dos attack on Juniper M10i
>
> You dont really need netflow to find the host attacking if its a simple
> attack.
Easier said than done, and he'll need to parse through a lot of output to be able to find the attacking destination. Having said that, I do agree in a volumetric attack you should see proportionately more traffic going to a particular destination host.
Nonetheless, in this particular user's case I think prefix-specific counters will be a simpler solution as it should be easier to look at the counter data to isolate a particular host rather than having to pour over log data.
But seriously, why anybody in this day and age would be running any network without netflow* visibility is beyond me.
*Full disclosure - I work for a vendor which makes commercial gear and tools in this area.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list