DDOS, IDS, RTBH, and Rate limiting

Tim Jackson jackson.tim at gmail.com
Fri Nov 21 18:32:32 UTC 2014

pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..


On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko <denys at visp.net.lb> wrote:
> On 2014-11-21 18:41, Peter Phaal wrote:
>>>> Actually, sFlow from many vendors is pretty good (per your points about
>>>> flow
>>>> burstiness and delays), and is good enough for dDoS detection.  Not for
>>>> security forensics, or billing at 99.99% accuracy, but good enough for
>>>> traffic visibility, peering analytics, and (d)DoS detection.
>>> Well, if it is available, except hardware limitations, there is second
>>> obstacle,
>>> software licensing cost. On latest JunOS, for example on EX2200, you need
>>> to purchase license (EFL), and if am not wrong it is $3000 for 48port
>>> units.
>>> So if only sFlow feature is on stake, it worth to think, to purchase
>>> license,
>>> or to purchase server.
>> Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):
>> http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf
>> I am not aware of any vendor requiring an additional license to enable
>> sFlow.
>> sFlow (packet sampling) works extremely well for the DDoS flood
>> detection / mitigation use case. The measurements are build into low
>> cost commodity switch hardware and can be enabled operationally
>> without adversely impacting switch performance.  A flood attack
>> generates high packet rates and sampling a 10G port at 1-in-10,000
>> will reliably detect flood attacks within seconds.
>> For most use cases, it is much less expensive to use switches to
>> perform measurement than to attach taps / mirror port probes. If your
>> switches don't already support sFlow, you can buy a 10G capable white
>> box switch for a few thousand dollars that will let you monitor 1.2
>> Terabits/sec. If you go with an open platform such as Cumulus Linux,
>> you could even run your DDoS mitigation software on the switch and
>> dispense with the external server. Embedded instrumentation is simple
>> to deploy and reduces operational complexity and cost when compared to
>> add on probe solutions.
>> Peter Phaal
>> InMon Corp.
> Wow, that's great news then, i'm using mostly Cisco gear now, but seems will
> have to take a look to Juniper, thanks for information.
> If it is free, then if EX2200 available, it is much easier to run sFlow and
> write custom collector for it, than installing custom probe(in most common
> cases).
> ---
> Best regards,
> Denys

More information about the NANOG mailing list