Have you considered snort? that been said if you do get slammed by a ddos, dropping packets at your edge does not guarantee you a trouble free day, you need to find out if your provider has enough upstream/responsive equipment to withstand it?
On Sun, Aug 4, 2013 at 7:15 PM, Reza - Voipernetics <[email protected]>wrote: > Over the past few weeks we have observed DDoS type attacks on 4 different > data centres across Canada, United States, Germany and France where we have > dedicated servers hosted. > We have not experienced a situation where **ALL** the data centres were > affected the same day. > Our VoIP services redundancy at the DNS and DNS/SRV level kicks in > immediately to avoid downtime for clients, when a DDoS affects the network > traffic to/from our servers. > > Fortunately we have not been the targets and it upsets any business owner > if one of their servers are affected (regardless of the level of redundancy) > The origination of these DDoS attacks were from Amazon clouds. > > Even though the attacks were not targeted towards our servers, it has > impacted us along with all the hundreds of servers connected at the data > centres, which are shared on the same core switch. > > These DDoS attacks that we have witnessed at the data centres lasts for > *factors* of 5 minutes, and are **CLOCK WORK**. > Between 8:00 and 8:30 PM Toronto Local Time - specifically on Thursdays & > Fridays. > The network team at the data centres (my hats off to them) had identified > the targeted server, null routed them and problems solved. > At one point, I've been advised that the targeted server(s) were being > pounded with 8 Gbps of attacks. > > So this naturally gets me more curious. > The common denominator of these DDoS type attacks appear to be "high > bandwidth" usage. > It disrupts services on not only the "victim" but everyone close by. > > The data centres are using closed source proprietary products such as > PeakFlow from Arbor Networks. > We monitor our activity and do analysis with a bunch of open source > software. > These are mainly products for network monitoring (ntop and miscellaneous), > old school packet captures, peak flow traffic, and so on and so on. > > Wireshark, Etherreal, pcap, ntop etc etc etc network analysis tools are > great. > They require an intelligent person behind the keyboard for the "analysis" > **after** an issue as been identified. > > *Would like to ask the community here for input on: * > - Open Source type product for possible DDoS type detection (that does > basic analysis for you & identifies peak traffic flow *real time*) > - UDP level - SIP flooding type DDoS attack detection (open and closed > source) > - Pattern Matching / Fake SIP registration detection at the "packet level" > - before it hits Asterisk process. > > Ultimately I'm looking for a tool (preferably open source) that alerts an > operator with basic computer skills of abnormal behaviour. > /* > *//*Thanks and regards,*//* > *//*Reza.*/ > -- > -- > FOUNDER & SR. TELECOM ANALYST > VOIPERNETICS COMMUNICATIONS > NATION WIDE DIDS, SIP TRUNKS & VOIP 911. > PARTIAL / FULL VIRTUAL PRI - NO CONTRACTS! > HOSTED PBX & TERMINATION SERVICES. > TEL: 647-476-2067 > >
