Hi Paolo,

Possibly, I'm not sure yet. Really depends on the ease of implementation. A "ratio" of fragmentation might be nice as well. I don't think there are very good reasons to slice a packet in more than 2 fragments so anything exceeding that might be worthwhile to detect and analyze.


- Hidde

Paolo Lucente schreef op 09.11.2017 17:23:
Hi Hidde,

Yes, there is plenty of defragmentation code and you are right that
there is no 'external visibility' into it. I'm curious what you'd have
in mind to give such visibility, a bool like fragmented traffic yes/no
of some sort?

Paolo

On Thu, Nov 09, 2017 at 04:26:37PM +0100, Hidde van der Heide wrote:
Hi,

While looking into pmacct to monitor our Internet edge, we are also
testing is we can detect malicious activity, primarily DDoS traffic.
With the current aggregators we can gather most of the required data
but the one thing really missing is IP fragmentation.

I noticed there is already extensive defragmentation code so it
might not be that hard to add. I'm happy to give it a try but I
wanted to make sure that I'm not overlooking something and support
is already there.

Regards,
- Hidde

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to