automatic rtbh trigger using flow data

Paweł Małachowski pawmal-nanog at freebsd.lublin.pl
Fri Aug 31 23:51:22 UTC 2018


On Fri, Aug 31, 2018 at 11:09:19AM +0200, H I Baysal wrote:

> My personal view is, as long as you can store your flow info in a 
> timeseries database (like influxdb and NOT SQL LIKE!!!!!!!) you can do 
> whatever you want with the (raw) data. And create custom triggers for 
> different calculations.

For one of our customers I've deployed good old pmacct + MySQL
(using memory engine) backend for DDoS detection purposes.
It has some drawbacks (e.g. one has to frequently delete old
records to keep tables fit and fast) but it allows asking complex
SQL queries against these short term data (e.g. different detection
logic per subnets) or precompute with triggers.

> Flows are on the fly and are coming in constantly, you could have a 
> calculation like group by srcip and whatever protocol you want or just 
> srcip,

Beware of high cardinality issues when facing random src IP floods.

BTW, once again pmacct (with some glue) is nice for feeding flow
data into time series database. It can pre aggregate and pre filter
low volume flows to reduce storage requirements.


-- 
Paweł Małachowski


More information about the NANOG mailing list