RTBH and Flowspec Measurements - Stop guessing when the attack will over

Tom Beecher beecher at beecher.cc
Tue Feb 2 16:07:42 UTC 2021

Personally, I would absolutely, positively, never ever under any
circumstances provide access to a 3rd party company to push a FlowSpec rule
or trigger RTBH on my networks. No way.  You would be handing over a
nuclear trigger and saying "Please break me at my earliest inconvenience."

On Tue, Feb 2, 2021 at 5:56 AM Douglas Fischer <fischerdouglas at gmail.com>

> OK, but do you know any company the sells de Flowspec as a service, in the
> way that the Attack Identifications are not made by their equipment, just
> receiving de BGP-FlowSpec and applying that rules on that equipments... And
> even then give back to the customer some way to access those statistics?
> I just know one or two that do that, and(sadly) they do it on fancy web
> reports or PDFs.
> Without any chance of using that as structured data do feedback the
> anomaly detection tools to determine if already it is the time to remove
> that Flowsperc rule.
> What I'm looking for is something like:
> A) XML/JSON/CSV files streamed to my equipment from the Flowspec Upstream
> Equipments saying "Heepend that, that, and that." Almost in real time.
> B) NetFlow/IPFIX/SFlow streamed to my equipment from the Upstream
> Equipment, restricted to the DST-Address that matches to the IP blocks that
> were involved to the Flowspec or RTBH that I Annouced to then.
> C) Any other idea that does the job of gives me the visibility of what is
> happening with FlowSpec-rules, or RTBH on theyr network.
> Em seg., 1 de fev. de 2021 às 22:07, Dobbins, Roland <
> Roland.Dobbins at netscout.com> escreveu:
>> On Feb 2, 2021, at 00:34, Douglas Fischer <fischerdouglas at gmail.com>
>> wrote:
>> Or even know if already there is a solution to that and I'm trying to
>> invent the wheel.
>> Many flow telemetry export implementations on routers/layer3 switches
>> report both passed & dropped traffic on a continuous basis for DDoS
>> detection/classification/traceback.
>> It's also possible to combine the detection/classification/traceback &
>> flowspec trigger functions.
>> [Full disclosure: I work for a vendor of such systems.]
>> --------------------------------------------
>> Roland Dobbins <roland.dobbins at netscout.com>
> --
> Douglas Fernando Fischer
> Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210202/337fb71e/attachment.html>

More information about the NANOG mailing list