Wim Biemolt wrote: >Maurizio Molina wrote: > > > >>will you be able to post a few snapshots and/or a summary of your findings? >> >> > >A snapshot for a customers who suffered a distributed denial of service. >Although maybe not the best example. Even without the aberrant behavior >you see can seen something is wrong. ;-) > > One (naive) observation: The first (sharp) peak (at 17.30) is undetected. Most likely because of the threshold violation parameter choice, which if I correctly remember, is 7 in a sliding window of 9. From the picture, it looks that we have two points that certainly *are* a violation, but they are not enough to trigger the alarm. Probably also the few points after this peak had a big mismatch between predicted and real traffic (the predicion probably went up because of the peaks, the real traffic down...) but because of the "higher" tolerance set to traffic drops (which is twice as high a traffic increases) they are probably never detected as violations. The picture on the contrary shows that more sustained attacks are detected. Would be nice to test (with fake data, perhaps?) if by simply intermittently stop and resume the attack (how easy it is to do so in the real world?), even a strong one can be permanently undetected. Cheers, Maurizio
>Cheers, > >-Wim -/- SURFnet > > > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
