On Wed, May 25, 2005 at 10:45:15AM -0400, Drew Weaver wrote:
I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth.
I presume you're already graphing/collecting the pps data on your interfaces? You may want to figure out what your normal p95 pps rate is then configure some snmp system to watch the ifc counters. you could use something like this: http://sysmon.org/config.html#snmpTestRate you of course need to have some underlying snmp data collection going on, but for watching for traffic bursts or other types of things (pps or not), there are some free/like-free tools out there. Maybe you have some programmers at your place that can spend a few hours writing some system that would watch netflow data.. the spec is public here: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm you need to know how to interpret the data, which is why it may be worthwhile to just pay someone for a system that has already done it (the analysis) for you.. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.