[j-nsp] Best way to detect abnormal traffic without enabling security?
Jonathan Lassoff
jof at thejof.com
Tue Apr 3 03:34:48 EDT 2012
On Tue, Apr 3, 2012 at 12:20 AM, Yucong Sun (叶雨飞) <sunyucong at gmail.com> wrote:
> But jflow is not going to work in packet mode, right?
Netflow-like reporting is probably the right way to detect these types
of anomalies in a scalable manner. However, I can't speak to the
performance of it on J-series. I'm guessing that since the state is
probably handled in-memory and with a CPU on that platform (J-series),
that exporting flows will just become another DOS vector.
If you're looking to try and narrow down where the bulk of your
traffic is going in a more stateless manner, consider looking at
"monitor interface traffic" and looking for abnormally high numbers,
or setup a firewall filter that counts term hits. Then, monitor the
counters for the filter and see which terms are getting hit the most.
Alternatively, tap all of your traffic (if it's a J-series, I can't
imagine it's more than 1 - 2 Gbps) and analyze it on another PC. If
you have some upstream or downstream managed switches, this could be
possible.
Using tshark on the command like, I would run something like "tshark
-ni eth0 -z ip_hosts,tree" to get a breakdown from a live capture as
to which IPs are talking the most.
Cheers,
jof
More information about the juniper-nsp
mailing list