DDOS, IDS, RTBH, and Rate limiting

Pavel Odintsov pavel.odintsov at gmail.com
Tue Dec 2 15:42:42 UTC 2014


Hello, folks!

Thank you for a very useful feedback! I'm so sorry for my negative
vision of netflow :( It's nice protocol but I haven't equpment with
ability to generate netflow on wire speed and I use mirror/SPAN
instead.

I competely redesigned attack-analyzer subsystem and can process
sampled data now. I just added sFLOW v5 suport to FastNetMon and you
can try it now. In near future I will add netflow v5 support.

With sFLOW support my tool can detect attack on 40-100GE links and
more! Thanks for sFLOW architecture!  :)

Thank you!

On Sun, Nov 23, 2014 at 2:53 AM, Brian Rak <brak at gameservers.com> wrote:
>
> On 11/22/2014 11:18 AM, Denys Fedoryshchenko wrote:
>>
>> On 2014-11-22 18:00, freedman at freedman.net wrote:
>>>
>>> We see a lot of Brocade for switching in hosting providers, which makes
>>> sFlow easy, of course.
>>
>> Oh, Brocade, recent experience with ServerIron taught me new lesson, that
>> i can't
>> do bonding on ports as i want, it has limitations about even/odd port
>> numbers and
>> etc.
>> Most amazing part i just forgot, that i have this ServerIron, and it is a
>> place where
>> i run DDoS protection (but it works perfectly over "tap" way). Thanks for
>> reminding
>> about this vendor :)
>
>
> I just hope you're not talking FCX's.... if you upgrade those to 8.x
> firmware, you'll lose sflow on the 10gb ports.  Once you upgrade, they send
> a corrupted sflow packet, and at *far* less then the rate that you
> configure.  Even if you adjust your parser to compensate for the corrupt
> packet, they're still dropping the large majority of samples, making sflow
> pretty much useless.
>
> It's been several months since we reported this, and we're still waiting on
> a fix.



-- 
Sincerely yours, Pavel Odintsov



More information about the NANOG mailing list