DDOS, IDS, RTBH, and Rate limiting

• Previous message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Next message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Netflow is stateful stuff, and just to run it on wirespeed, on hardware, 
> you need to utilise significant part of TCAM,

Cisco ASRs and MXs with inline jflow can do hundreds of K flows/second
without affecting packet forwarding.

> i am not talking that on some hardware it is just impossible to run it.
> So everything about netflow are built on assumption that hosting or ISP 
> can run it. And based on some observations, majority of small/middle 
> hosting providers are using minimal,just BGP capable L3 switch as core, 
> and cheapest but reliable L2/L3 on aggregation, and both are capable in 
> best case to run sampled sFlow.

Actually, sFlow from many vendors is pretty good (per your points about flow 
burstiness and delays), and is good enough for dDoS detection.  Not for 
security forensics, or billing at 99.99% accuracy, but good enough for
traffic visibility, peering analytics, and (d)DoS detection.

<snip>

> So for a small hosting(up to 10G), i believe, FastNetMon is best 
> solution. Faster, and no significant investments to equipment. Bigger 
> hosting providers might reuse their existing servers, segment the 
> network, and implement inexpensive monitoring on aggregation switches 
> without any additional cost again.

It can be useful to have a 10G network monitoring box of course...

And with the right setup you can run FastNetMon or other tools in
addition to generating flow that can be of use for other purposes
as well...

> Ah, and there is one more huge problem with netflow vs FastNetMon - 
> netflow just by design cannot be adapted to run pattern matching, while 
> it is trivial to patch FastNetMon for that, turning it to mini-IDS for 
> free.

It's true, having a network tap can be useful for doing PCAP-y stuff.

But taps can be difficult or at least time consuming for people to
put in at scale.  Even, we've seen, for folks with 10G networks.
Often because they can get 90% of what they need for 4 different
business purposes from just flow :)

> Best regards,
> Denys

Avi Freedman    | Your flow has something to show you; can you see it?    |
CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |

• Previous message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Next message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]