ddos attacks

Peter Phaal peter.phaal at gmail.com
Wed Dec 18 22:31:26 UTC 2013


Dan,

If you are using sFlow for your measurements, then you might want to take a
look sFlow-RT for DDoS mitigation. The following case study describes how
sFlow and null routing are being used to mitigate flood attacks:

http://blog.sflow.com/2013/03/ddos.html

The analytics engine will detect flood attacks in less than a second and
you can use the embedded scripting API to initiate automated responses. The
following articles contain basic DDoS mitigation scripts - you just need to
replace the block() and allow() functions with calls to expect scripts,
OpenFlow rules, or REST API calls - whatever makes sense in your
environment.

http://blog.sflow.com/search/label/DoS

This is a commercial product, but it's free to try out (no registration
required):

http://inmon.com/products/sFlow-RT.php

Cheers,
Peter


On Wed, Dec 18, 2013 at 8:36 AM, Dan White <dwhite at olp.net> wrote:

> Can anyone recommend a vendor solution for DDOS mitigation? We are looking
> for a solution that detects DDOS attacks from sflow information and
> automatically announces BGP /32 blackhole routes to our upstream providers,
> or a similar solution.
>
> Thank You.
>
>
> On 08/05/13 21:09 +1000, Ahad Aboss wrote:
>
>> Scott,
>>
>> Use a DDOS detection and mitigation system with DPI capabilities to deal
>> with traditional DDOS attack and anomalous behaviour such as worm
>> propagation, botnet attacks and malicious subscriber activity such as
>> flooding and probing. There are only a few vendors who successfully play
>> in
>> this space who provide a self healing/self defending system.
>>
>> Cheers
>> Ahad
>> -----Original Message-----
>> From: sgraun at airstreamcomm.net [mailto:sgraun at airstreamcomm.net]
>> Sent: Friday, 2 August 2013 11:37 PM
>> To: nanog at nanog.org
>> Subject: ddos attacks
>>
>> I’m curious to know what other service providers are doing to
>> alleviate/prevent ddos attacks from happening in your network.  Are you
>> completely reactive and block as many addresses as possible or null0
>> traffic
>> to the effected host until it stops or do you block certain ports to
>> prevent
>> them.  What’s the best way people are dealing with them?
>>
>> Scott
>>
>
> --
> Dan White
>
>


More information about the NANOG mailing list