OBESEUS - A new type of DDOS protector

William Pitcock nenolod at systeminplace.net
Tue Mar 16 09:13:28 UTC 2010


On Tue, 2010-03-16 at 07:53 +0000, gordon b slater wrote:
> Hmm, the "hey! it's open source!" factor doesn't hold much sway in the
> network world, no-one will be amazed at that. Many observers are
> surprised at the amount of free software employed by ISPs and the
> like, but it's certainly no news to insiders. 

Not to mention that it is only "open source for private non-commercial
use only", and is crippled.

Also, Obeseus doesn't seem to be any better then stuff I have made
myself for my own usage and clients' usage.  All it does it look at a
pcap dump and analyze it.

Obeseus is actually worse: it does not work in realtime, the data
structures it uses are not suited to realtime detection, and in a DDoS,
I think this could take several minutes to trigger appropriate events
like IP nullroutes and ACLs etcetera.

The best way to detect DDoS is to run a 30 second rolling average.  If
you're suddenly doing a gigabit inbound within 30 seconds of UDP
traffic, you're probably being DDoSed ;).

William





More information about the NANOG mailing list