On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
Also, without a dedicated DDoS system deployed, what is the most reliable/fastest way to determine the destination(s) of the attacks (SNMP, NetFlow, etc)?
With or without a dedicated DDoS mitigation system, NetFlow-based anomaly-detection is generally considered to be the most scalable solution which provides network visibility of inbound/outbound/ crossbound traffic.
Any particular software tools which are helpful for detecting this, NetFlow for us has been slightly difficult to use for this task mainly because we haven't found software that is really designed for security rather than performance (would be nice if it did both?)
Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe are three commercial NetFlow-based anomaly-detection systems. There's a free (but not open-source, AFAIK) system which has recently been released on Windows (*NIX to come later); I haven't played with it myself, but here's a link:
<http://www.akmalabs.com/downloads_flowmatrix.php>
Either systems/techniques that automatically mitigate or systems that simply recommend mitigation steps/alert are both being evaluated.
I'm generally not a big fan of automatic mitigation, except possibly in some very limited situations/domains, as there's always the possibility it could be gamed.
By mitigation I mean Null routing sources, null routing destinations upstream (via communities), et cetera.
Again, think carefully before automating any sort of blackholing or other mitigation mechanism.
----------------------------------------------------------------------- Roland Dobbins <[email protected]> // +852.9133.2844 mobile Some things are just too precious to entrust to computers. -- Seth Hanford _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
