[j-nsp] Best way to detect abnormal traffic without enabling security?

Tim Eberhard xmin0s at gmail.com
Sat Sep 8 12:53:13 EDT 2012


Additionally Netflow/jflow sampling would provide a greater level of insight. Careful with the sampling rate however as you don't want to make the ddos worse...

There are lots of free and paid products that will analyze jflow. Juniper sells a Q1 labs product they call STRM. It does a great job.

Hope this helps,
Tim Eberhard 

On Sep 8, 2012, at 7:28 AM, Mark Radabaugh <mark at amplex.net> wrote:

> My suggestion would be a managed Ethernet switch on whichever side of the J2350 that you can put it with a SPAN port to dump traffic to Wireshark. It should be fairly easy to spot the offending traffic.
> 
> Mark
> 
> 
> On 3/31/12 12:50 AM, Yucong Sun (叶雨飞) wrote:
>> Hi,
>> 
>> I am currently using a pair of J2350 exporting about 200+ /32 BGP
>> route  to my peer, and I'm been hit by DDOS several times, the hardest
>> part for me is to figure out which IP was getting the DDOS and
>> deactivate that route, which will de-announce that route to my peer.
>> 
>> However I have no established method right now to figure out which IP
>> is getting DDOSed, so I am hoping somebody can pass along some
>> sampling or dump method to quickly identify toublesome dst ip.
>> 
>> Thanks!
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> -- 
> Mark Radabaugh
> Amplex
> 
> mark at amplex.net  419.837.5015
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list