On Jan 23, 2007, at 12:21 AM, Adrian Popa wrote: > Hello everybody, > > I'm trying to write a nfsen backend script to detect > (automatically) denial-of-service attacks. > > distributed DOS: flows from numerous sources to the same > destination, on different ports. > I guess it could be implemented like the previous one, but it would > be tricky to set the threshold - to separate floods from legitimate > traffic > > My questions to you are: > 1. How do you detect the last 2 types of flooding > 2. Have you encountered other types of attack? Can you suggest a > better way to detect them? >
I think you need to look at the rate of increase in flows \ packets between 5 minute time slots. From what I understand of the code, Panoptis [1] detects DoS attacks by looking at the rate of increase for interfaces (either packets or flows) and then gets the top talker(s) for that interface. And from the looks of the man page for nfdump, it would seem that you could implement that same approach. [1] http://sourceforge.net/projects/panoptis Regards, --Jason ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
