20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

• Previous message (by thread): 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
• Next message (by thread): 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 21, 2015 at 08:07:34AM -0500, Rafael Possamai wrote:
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
> 
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.

	We profile the protocols on our network so understand what the level
of UDP, ICMP, IPv6, etc are.  It's easy to pick out spikes in the graphs
that are related to attacks.  Setting thresholds related to this to minimize
impact for customers is important as it eliminates the garbage that
networks carry and reduce the impact to sites that are under attack.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

• Previous message (by thread): 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
• Next message (by thread): 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]