IDS/DDOS prevention hardware that doesnt cost $80,000+?
I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth. Offlist to keep chatter low is fine with me. Sorry to be a bother, -D
Any firewall/router that supports ratelimiting should suffice for most DDoS mitigation tactics. A program called snort (layer 7 content filtering) should take care of most of your IDS needs as well. "Drew Weaver" <drew.weaver@thenap.com> Sent by: owner-nanog@merit.edu 05/25/2005 10:45 AM To <nanog@merit.edu> cc Subject IDS/DDOS prevention hardware that doesnt cost $80,000+? I?m wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren?t any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we?re seeing are just a huge influx of PPS not so much the amount of bandwidth. Offlist to keep chatter low is fine with me. Sorry to be a bother, -D
On Wed, May 25, 2005 at 10:45:15AM -0400, Drew Weaver wrote:
I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth.
I presume you're already graphing/collecting the pps data on your interfaces? You may want to figure out what your normal p95 pps rate is then configure some snmp system to watch the ifc counters. you could use something like this: http://sysmon.org/config.html#snmpTestRate you of course need to have some underlying snmp data collection going on, but for watching for traffic bursts or other types of things (pps or not), there are some free/like-free tools out there. Maybe you have some programmers at your place that can spend a few hours writing some system that would watch netflow data.. the spec is public here: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm you need to know how to interpret the data, which is why it may be worthwhile to just pay someone for a system that has already done it (the analysis) for you.. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Cisco routers and switches export network accounting information you can write a software that reads these flows and report to you who is the Top Talker/DDoS or you can get an open-source one (flow-tools, ntop,..) or you can buy one (Arbor, lancope, crannog,...) On 5/25/05, Drew Weaver <drew.weaver@thenap.com> wrote:
I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth.
Offlist to keep chatter low is fine with me.
Sorry to be a bother,
-D
On May 25, 10:45am, "Drew Weaver" <drew.weaver@thenap.com> wrote:
I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth.
I'm not sure if I should keep quiet or ... what the heck. FWIW, we're finalising prototypes of a system that may meet your needs. It consists of a central control unit and one or more intelligent filter units you place strategically in your network (you typically want to filter as close as possible to your ingress points). The general functionality is that when you detect (by whatever means you choose, we don't do any intrusion/"cold" detection) an attack on one or more targets inside your network, you redirect traffic to the filter(s) (this is done using BGP updates from the control unit, but let's not go into more details right now), which then deploy a unique and highly innovative method (patent pending) for identifying and filtering out the attack traffic, while letting bona fide traffic through unhindered. An upcoming revision will support explicit ACLs (ie, black- and white-listing of traffic sources) for you to upload if you have tools that generate those, as well as various traffic control functions. There will also be strong profiling and offline analysis support, and hopefully some nifty graphical tools. The basic filter unit has a capacity of about 1 million pps, and comes as standard with a gigabit ethernet interface (1 Mpps translates roughly to a fully loaded Gbit ethernet at minimum frame size). Beware of people that quote capacity in bps rather than pps; dumb bits beyond the packet header don't cost anything to transport, so you can quote enormous capacities if you envisage an attack with large packets. But you probably knew that already. Physically it's a rackmount 1U box with some very noisy fans (machine room placement only). USD pricing is TBD but will be very interesting. Let me know if you're interested, and I'll get in touch when we're closer to real production, which isn't far away (a couple of months). Best, -- Per
On 5/25/05, Per Gregers Bilse <bilse@networksignature.com> wrote:
(snip)...which then deploy a unique and highly innovative method (patent pending) for identifying and filtering out the attack traffic, while letting bona fide traffic through unhindered. ...(snip)
well, that is the important part. there are plenty of off the shelf tools that allow someone to gather and analyze pertinent network data; the most important, and consequently most difficult, part is differentiating the good from the bad. I'm not aware of any free/open/cheap tools that go beyond the basic "your <insert metric here> has exceeded the baseline" alert. aaron.glenn
participants (6)
-
Aaron Glenn
-
Drew Weaver
-
Jared Mauch
-
Kim Onnel
-
Per Gregers Bilse
-
trainier@kalsec.com