Hi Paolo,
Possibly, I'm not sure yet. Really depends on the ease of
implementation. A "ratio" of fragmentation might be nice as well. I
don't think there are very good reasons to slice a packet in more than 2
fragments so anything exceeding that might be worthwhile to detect and
analyze.
- Hidde
Paolo Lucente schreef op 09.11.2017 17:23:
Hi Hidde,
Yes, there is plenty of defragmentation code and you are right that
there is no 'external visibility' into it. I'm curious what you'd have
in mind to give such visibility, a bool like fragmented traffic yes/no
of some sort?
Paolo
On Thu, Nov 09, 2017 at 04:26:37PM +0100, Hidde van der Heide wrote:
Hi,
While looking into pmacct to monitor our Internet edge, we are also
testing is we can detect malicious activity, primarily DDoS traffic.
With the current aggregators we can gather most of the required data
but the one thing really missing is IP fragmentation.
I noticed there is already extensive defragmentation code so it
might not be that hard to add. I'm happy to give it a try but I
wanted to make sure that I'm not overlooking something and support
is already there.
Regards,
- Hidde
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
