DDOS, IDS, RTBH, and Rate limiting

• Previous message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Next message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks! Most important there is plugin API,so it is easy to write custom 
code to do some analysis and on events - actions.

On 2014-11-21 20:32, Tim Jackson wrote:
> pmacct includes sfacctd which is an sflow collector.. Accessible via
> the same methods as it's nfacctd collector or pcap based collector..
> 
> --
> Tim
> 
> On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko 
> <denys at visp.net.lb> wrote:
>> On 2014-11-21 18:41, Peter Phaal wrote:
>>>>> 
>>>>> Actually, sFlow from many vendors is pretty good (per your points 
>>>>> about
>>>>> flow
>>>>> burstiness and delays), and is good enough for dDoS detection.  Not 
>>>>> for
>>>>> security forensics, or billing at 99.99% accuracy, but good enough 
>>>>> for
>>>>> traffic visibility, peering analytics, and (d)DoS detection.
>>>> 
>>>> 
>>>> Well, if it is available, except hardware limitations, there is 
>>>> second
>>>> obstacle,
>>>> software licensing cost. On latest JunOS, for example on EX2200, you 
>>>> need
>>>> to purchase license (EFL), and if am not wrong it is $3000 for 
>>>> 48port
>>>> units.
>>>> So if only sFlow feature is on stake, it worth to think, to purchase
>>>> license,
>>>> or to purchase server.
>>> 
>>> 
>>> Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):
>>> 
>>> 
>>> http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf
>>> 
>>> I am not aware of any vendor requiring an additional license to 
>>> enable
>>> sFlow.
>>> 
>>> sFlow (packet sampling) works extremely well for the DDoS flood
>>> detection / mitigation use case. The measurements are build into low
>>> cost commodity switch hardware and can be enabled operationally
>>> without adversely impacting switch performance.  A flood attack
>>> generates high packet rates and sampling a 10G port at 1-in-10,000
>>> will reliably detect flood attacks within seconds.
>>> 
>>> For most use cases, it is much less expensive to use switches to
>>> perform measurement than to attach taps / mirror port probes. If your
>>> switches don't already support sFlow, you can buy a 10G capable white
>>> box switch for a few thousand dollars that will let you monitor 1.2
>>> Terabits/sec. If you go with an open platform such as Cumulus Linux,
>>> you could even run your DDoS mitigation software on the switch and
>>> dispense with the external server. Embedded instrumentation is simple
>>> to deploy and reduces operational complexity and cost when compared 
>>> to
>>> add on probe solutions.
>>> 
>>> Peter Phaal
>>> InMon Corp.
>> 
>> Wow, that's great news then, i'm using mostly Cisco gear now, but 
>> seems will
>> have to take a look to Juniper, thanks for information.
>> If it is free, then if EX2200 available, it is much easier to run 
>> sFlow and
>> write custom collector for it, than installing custom probe(in most 
>> common
>> cases).
>> 
>> ---
>> Best regards,
>> Denys

---
Best regards,
Denys

• Previous message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Next message (by thread): DDOS, IDS, RTBH, and Rate limiting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]