LISTSERV mailing list manager LISTSERV 15.5

Help for NORDNOG Archives

NORDNOG Archives

NORDNOG Archives


Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font


Join or Leave NORDNOG
Reply | Post New Message
Search Archives

Subject: Detecting dDoS?
From: Måns Nilsson <[log in to unmask]>
Reply-To:Network management discussion for Nordic region <[log in to unmask]>
Date:Mon, 8 Apr 2002 20:07:35 +0200

text/plain (31 lines)

Has anyone thought about detecting DoS attacks by measuring the packets per
second counter and continously comparing measurements, to be able to detect
rapid changes?

Something like this, in quasi-code:


while true;
        poll_counter > $new_value
        store_database "$new_value, $timestamp"
        get_database "$counter_value @ $timestamp - 60" > old_value
        if [ $new_value -gt $old_value_and_then_some ]
                then sound_alarm
        sleep 60

This is probably too nervous, and prone to "crying wolf" but could probably
be made into something useful, once tuned. Minimum values could probably
benefit (suppose one has a hot standby, like APS, which suddenly goes from
one ping every 10 secs to near full load, because the other path was
backhoed. Instant wolf.)

Pointers as to why if I'm barking up the wrong tree would be nice.
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.

Back to: Top of Message | Previous Page | Main NORDNOG Page



CataList Email List Search Powered by the LISTSERV Email List Manager