On Tue, Jul 21, 2015 at 08:07:34AM -0500, Rafael Possamai wrote:
Has anyone tried to implement real-time SQC in their network? You can calculate summary statistics and use math to determine if traffic is "normal" or if there's a chance it's garbage. You won't be able to notice one-off attacks, but anything that repeats enough times should pop up. Facebook uses similar technology to figure out what kind of useless news to display on your feed.
In summary, instead of blocking an entire country, we should be able to analyze traffic as it comes, and determine a DDoS attack without human intervention.
We profile the protocols on our network so understand what the level of UDP, ICMP, IPv6, etc are. It's easy to pick out spikes in the graphs that are related to attacks. Setting thresholds related to this to minimize impact for customers is important as it eliminates the garbage that networks carry and reduce the impact to sites that are under attack. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.