Is current DDoS detecting method effective?

Joe Shen joe_hznm at
Mon Mar 7 01:13:14 UTC 2005


I use flow-tools to monitor the link bandwidth
utilization on three backbone interfaces. The total
bandwidth utilized is about 11Gbps, and netflow data
is analyzed to show statistics on some special port
(e.g. port 0, port 445 etc.). I think this could give
us some indication of possible DoS attach, but it's
hard to monitor DoS attack on all hosts or all ports. 

In fact, I'm not sure whether traffic monitoring could
REALLY help to identify some DoS attack, esp. in ISP
networks. My questions include:

1) what should be protected in ISP networks? the ISP's
own network or both ISP's network and its customers? 

   I think the answer is, ISP should only care about
the safety of its own network, which should be
overprovisioned ( not only link bandwidth but also
CPU/MEM etc.); we could use some technique like
reverse route checking and ACL to immunize those core
router/switch from DoS.

2) What's the cost should we take to identify any
possible DoS in ISP network?
    I think it will cost a lot if we keep monitoring
traffic on all edge routers ( both to backbone network
and to customers), because we have to set up traffic
monitoring on all interfaces and we have to set up
analysis hosts whose ability have to be increased time
to time. While the gainback is not obivious ( at least
Botnet could not be crashed easily).

3) Is those technique use in current days really
effective ? Where can I find some theretical analysis
on the method Arbor used to identify DoS?

   To my experience, network attack is continuous. I
do a experiment in our network, I put a Win2003 server
on access layer. After 24 hours, the software firewall
on it recorded about 10,0000 scan&attack attemps.
Arbor says its product build up traffic model before
identify DoS, while DoS may have been on its peak
point when Arbor's box is building up its traffic

   So, how can we do with DoS in ISP network?    

--- "David J. Hughes" <bambi at> wrote:
> On 04/03/2005, at 5:17 AM, Chris Roberts wrote:
> > I know you said not Arbor, but I'd second this
> opinion. I used Arbor 
> > at a
> > medium-sized European ISP and it was fantastic at
> the job. Just in the 
> > trial
> > period found a lot of smaller DoS attacks on our
> network that we 
> > didn't even
> > know were there, and this was without a particular
> baseline. I think 
> > the
> > development time you'd spend building something
> like (we tried building
> > similar with cflowd et al) would outweigh the
> costs... This is always 
> > a moot
> > point if you don't have the cash though I guess
> :-)
> Another option on the commercial front is from
> Esphion in New Zealand 
> (  I've been involved with
> deploying their products at 
> a large hosting provider in Australia and I've been
> very impressed with 
> the performance and reliability.  It's now an
> integral part (if not the 
> corner stone) of our DOS mitigation procedure.  Good
> bit of kit.
> David
> ...

Do You Yahoo!?
Log on to Messenger with your mobile phone!

More information about the NANOG mailing list