Hi,
you aren't distinguishing between 'dos attack' and 'scan' or 'probe' or 'welcome to the Internet!' traffic. The Arbor systems may see 'scan' traffic (depending upon sample rates and traffic loads) and they may not... They aren't designed to see that, they are designed to: (speaking of peakflow SP, peakflow Traffic, peakflow DoS only... peakflow X isn't really a 'provider' solution as much as a 'enterprise' tool)
That's what I think current tool not enough, because we can not think ongoing traffic is not malicious when tools are building up 'normal' traffic model in ISP networks. But, in enterprise network this could be achived because traffic pattern for a enterprise could be estimated, and load on special server could be controled by threshhold (but, think about CNN website on 911 )
1) to watch traffic and alarm against thresholds 2) track traffic trends over time 3) report traffic trends over time
So, it need to define what should be monitored ( port, protocol, application data set ...) ?
(possibly some other things out of scope of this discussion... someone from Arbor could/should clarify)
Some of your cflowd gathering should also see these things, but they will need data correlation, something Arbor already went to the trouble of doing for you... So, define: "attack" and then see if your tool fits that definition.
So, I think current tool is just for enterprise , or for ISPs who want to provide anti-DoS services. regards Joe __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com