DDOS, IDS, RTBH, and Rate limiting
Denys Fedoryshchenko
denys at visp.net.lb
Fri Nov 21 19:18:57 UTC 2014
Thanks! Most important there is plugin API,so it is easy to write custom
code to do some analysis and on events - actions.
On 2014-11-21 20:32, Tim Jackson wrote:
> pmacct includes sfacctd which is an sflow collector.. Accessible via
> the same methods as it's nfacctd collector or pcap based collector..
>
> --
> Tim
>
> On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko
> <denys at visp.net.lb> wrote:
>> On 2014-11-21 18:41, Peter Phaal wrote:
>>>>>
>>>>> Actually, sFlow from many vendors is pretty good (per your points
>>>>> about
>>>>> flow
>>>>> burstiness and delays), and is good enough for dDoS detection. Not
>>>>> for
>>>>> security forensics, or billing at 99.99% accuracy, but good enough
>>>>> for
>>>>> traffic visibility, peering analytics, and (d)DoS detection.
>>>>
>>>>
>>>> Well, if it is available, except hardware limitations, there is
>>>> second
>>>> obstacle,
>>>> software licensing cost. On latest JunOS, for example on EX2200, you
>>>> need
>>>> to purchase license (EFL), and if am not wrong it is $3000 for
>>>> 48port
>>>> units.
>>>> So if only sFlow feature is on stake, it worth to think, to purchase
>>>> license,
>>>> or to purchase server.
>>>
>>>
>>> Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):
>>>
>>>
>>> http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf
>>>
>>> I am not aware of any vendor requiring an additional license to
>>> enable
>>> sFlow.
>>>
>>> sFlow (packet sampling) works extremely well for the DDoS flood
>>> detection / mitigation use case. The measurements are build into low
>>> cost commodity switch hardware and can be enabled operationally
>>> without adversely impacting switch performance. A flood attack
>>> generates high packet rates and sampling a 10G port at 1-in-10,000
>>> will reliably detect flood attacks within seconds.
>>>
>>> For most use cases, it is much less expensive to use switches to
>>> perform measurement than to attach taps / mirror port probes. If your
>>> switches don't already support sFlow, you can buy a 10G capable white
>>> box switch for a few thousand dollars that will let you monitor 1.2
>>> Terabits/sec. If you go with an open platform such as Cumulus Linux,
>>> you could even run your DDoS mitigation software on the switch and
>>> dispense with the external server. Embedded instrumentation is simple
>>> to deploy and reduces operational complexity and cost when compared
>>> to
>>> add on probe solutions.
>>>
>>> Peter Phaal
>>> InMon Corp.
>>
>> Wow, that's great news then, i'm using mostly Cisco gear now, but
>> seems will
>> have to take a look to Juniper, thanks for information.
>> If it is free, then if EX2200 available, it is much easier to run
>> sFlow and
>> write custom collector for it, than installing custom probe(in most
>> common
>> cases).
>>
>> ---
>> Best regards,
>> Denys
---
Best regards,
Denys
More information about the NANOG
mailing list