Krebs on Security booted off Akamai network after DDoS attack proves pricey
Jared Mauch
jared at puck.nether.net
Tue Sep 27 12:20:22 UTC 2016
> On Sep 26, 2016, at 7:58 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
>
> On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka at isc.org> wrote:
>
>>
>> Giving them real time access to the anomalous traffic log feed for
>> their residence would also help. They or the specialist they bring
>> in will be able to use that to trace back the problem.
>>
>>
> wouldn't this work better as a standard bit of CPE software capability?
> wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE
> and kept for ~30mins (just guessing) in a circular buffer be 'good enough'
> to present a pretty clear UI to the user?
>
> ip/mac/vendor sending (webtraffic|email|probes) to destination-name
> [checkbox]
> <repeat>
>
>
> select those youd' like to block [clickhere]
>
> This really doesn't seem hard, to present in a fairly straight forward
> manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
> similar to this approach... but on the other hand:
> "At least my ISP isn't snooping on all my traffic"
The UBNT Edgerouter series has this. You can get fancy graphs and application
breakdown.
Scroll down and check the images:
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeMAX-Deep-Packet-Inspection-Engine-for-EdgeRouter
You can see the hosts that are doing traffic and the destinations.
They even have a model that takes a SFP so you can use it as CPE for FTTH.
- Jared
More information about the NANOG
mailing list