* Kim Onnel:
So I can safely say that Detecting DDoS attacks is mostly done using Netflow data, now the only tool(known) on the market to analyze for attacks is Arbor, now besides being expensive, which is a problem for Mid-sizes ISPs,
Who qualifies as a mid-sized ISP? What equipment is typical? Even the most simple approach, based on sampled Netflow, an off-the-shelf SQL database (PostgreSQL preferred) and a couple of Perl scripts can work wonders. You won't get reliable automated alerts, but you can run ad-hoc queries to find out what's going on on your network when something or somebody else has detected a problem. The people already doing this probably consider this trivial, so it's not well documented. I tried to write something down, but never found the time to really polish it: <http://cert.uni-stuttgart.de/projects/flows/> DoS detection can be quite hard, especially if you have many compromised Windows boxes and you can't force the owners to clean them (because it's too expensive to contact them, for example). This results in a lot of background noise and useless flow data, too. If there's little background noise, you can use rather straightforward SQL query that you run periodically.