Hi, I use flow-tools to monitor the link bandwidth utilization on three backbone interfaces. The total bandwidth utilized is about 11Gbps, and netflow data is analyzed to show statistics on some special port (e.g. port 0, port 445 etc.). I think this could give us some indication of possible DoS attach, but it's hard to monitor DoS attack on all hosts or all ports. In fact, I'm not sure whether traffic monitoring could REALLY help to identify some DoS attack, esp. in ISP networks. My questions include: 1) what should be protected in ISP networks? the ISP's own network or both ISP's network and its customers? I think the answer is, ISP should only care about the safety of its own network, which should be overprovisioned ( not only link bandwidth but also CPU/MEM etc.); we could use some technique like reverse route checking and ACL to immunize those core router/switch from DoS. 2) What's the cost should we take to identify any possible DoS in ISP network? I think it will cost a lot if we keep monitoring traffic on all edge routers ( both to backbone network and to customers), because we have to set up traffic monitoring on all interfaces and we have to set up analysis hosts whose ability have to be increased time to time. While the gainback is not obivious ( at least Botnet could not be crashed easily). 3) Is those technique use in current days really effective ? Where can I find some theretical analysis on the method Arbor used to identify DoS? To my experience, network attack is continuous. I do a experiment in our network, I put a Win2003 server on access layer. After 24 hours, the software firewall on it recorded about 10,0000 scan&attack attemps. Arbor says its product build up traffic model before identify DoS, while DoS may have been on its peak point when Arbor's box is building up its traffic model!! So, how can we do with DoS in ISP network? --- "David J. Hughes" <bambi@hughes.com.au> wrote:
I know you said not Arbor, but I'd second this opinion. I used Arbor at a medium-sized European ISP and it was fantastic at
trial period found a lot of smaller DoS attacks on our network that we didn't even know were there, and this was without a particular
the development time you'd spend building something
On 04/03/2005, at 5:17 AM, Chris Roberts wrote: the job. Just in the baseline. I think like (we tried building
similar with cflowd et al) would outweigh the costs... This is always a moot point if you don't have the cash though I guess :-)
Another option on the commercial front is from Esphion in New Zealand (www.esphion.com). I've been involved with deploying their products at a large hosting provider in Australia and I've been very impressed with the performance and reliability. It's now an integral part (if not the corner stone) of our DOS mitigation procedure. Good bit of kit.
David ...
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com