Yes, it's a home-made backend plugin (currently at its 3rd major rewrite -
because of business needs and policy changes).
In short, this is how it works: every 5 minutes, it iterates through the
exporting routers and generates two reports for each router:
- top 10 record/pps -A dstip for flows with a duration > 10000ms (to
filter out false positives where a flow has a few packets, but a huge pps
value)
- top 10 record/flows -A dstip
For these values we select the entries that go above a certain threshold
(>50kpps, >100kflows (the point of the script is to protect our
infrastructure, not the end customer)) and do additional processing on them
(find out if the flood is incoming or outgoing based on prefix or ifindex,
find if prefix is a critical infrastructure asset, etc). We also keep
recent floods in a database and issue alerts to different teams for all
floods or for recurring floods. The team's operators decide the impact of
the flood and take suitable action (ignoring it, black-holing it for 1-3
hours or passing the traffic through a cleaning appliance). The teams are
notified via email and via a custom web interface (the triggering is done
via the backend plugin). There are also helper scripts to do the mitigation
at the push of a button and to automatically end the mitigation (when a set
time expires).
The collection of scripts we're using is built in-house (nfsen backend
script, various other scripts for data enrichment (e.g. prefix to customer
name lookup), a database and a web interface) and unfortunately is customly
tailored to our needs and would probably be a pain to adapt for others. It
might be easier to start fresh.
Let me know if you need additional details.
Regards,
Adrian
On Wed, Oct 2, 2013 at 6:00 PM, Martin Brault <mar...@creenet.com> wrote:
> On 2013-10-02 01:38, Adrian Popa wrote:
>
>>
>> I have developed such a system for our network (detection as a back-end
>> plugin in nfsen, web interface for operators and custom scripts for the
>> actual black-holing), but the mitigation process requires human
>> confirmation.
>>
>>
> Hello,
>
> Just out of curiosity, what are you using as a detection plugin? Home
> made? Without sharing your secret sauce, care to overview how this works?
>
> Cheers,
>
> M.
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
