PoC for shortlisted DDoS Vendors

Pavel Odintsov pavel.odintsov at gmail.com
Fri Apr 3 06:27:40 UTC 2015


Yes, my toolkit can detect only volumetric attacks now. But I have finished
performance tests for http protocol parser which could work on wire speed
too. And I'm sure I will add support for http attack detection soon.

Btw, syn flood attack detection could be implemented in few hours in
current code base. If anyone interested in it I will do it shortly.

In my day to day work we got fewbattacks everyday.

They divided 50/50 for dns/ssdp/snmp amplification and syn flood on http

Other attacks is not dangerous for our network and backbone and mitifated
manually in each case.

On Thursday, April 2, 2015, Mohamed Kamal <mkamal at noor.net> wrote:

>  Hello Pavel,
> I'm certainly biased to the open-source tools if they do the job required,
> and I appreciate your effort exerted on this project. However, based upon
> what I saw under the "features" list of your tool, I assume that it can
> detect only volumetric DDoS attacks based upon anomalies such as excessive
> number of packets/bits/connections/flows per second based upon some
> previously learnt or set threshold values.
> But what about the protocol types of attack, which, in my humble opinion
> is becoming more aggressive day after day?
> Mohamed Kamal
> Core Network Sr. Engineer
> On 4/2/2015 5:03 PM, Pavel Odintsov wrote:
> Hello!
>  What about open source alternatives? Main part of commercial ddos
> filters are simple high performace firewalls with detection logic (which
> much times more stupid than well trained network engineer).
>  But attacks for ISP is not arrived so iften and detection part coukd be
> executed manually (or with oss tools like netflow analyzers or my own
> FastNetMon toolkit).
>  For wire speed filtration on 10ge (and even more if you have modern cpu;
> up to 40ge) you could use netmap-ipfw with linux or freebsd with simple
> patches (for enabling multy process mode).
> On Thursday, April 2, 2015, dennis at justipit.com
> <javascript:_e(%7B%7D,'cvml','dennis at justipit.com');> <dennis at justipit.com
> <javascript:_e(%7B%7D,'cvml','dennis at justipit.com');>> wrote:
>> You should include Radware on that list .
>> ----- Reply message -----
>> From: "Mohamed Kamal" <mkamal at noor.net>
>> To: "NANOG" <nanog at nanog.org>
>> Subject: PoC for shortlisted DDoS Vendors
>> Date: Wed, Apr 1, 2015 9:51 AM
>> In our effort to pick up a reasonably priced DDoS appliance with a
>> competitive features, we're in a process of doing a PoC for the
>> following shortlisted vendors:
>> 1- RioRey
>> 2- NSFocus
>> 3- Arbor
>> 4- A10
>> The setup will be inline. So it would be great if anyone have done this
>> before and can help provide the appropriate tools, advices, or the
>> testing documents for efficient PoC.
>> Thanks.
>> --
>> Mohamed Kamal
>> Core Network Sr. Engineer
> --
> Sincerely yours, Pavel Odintsov

Sincerely yours, Pavel Odintsov

More information about the NANOG mailing list