LISTSERV mailing list manager LISTSERV 15.5

Help for NORDNOG Archives


NORDNOG Archives

NORDNOG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave NORDNOG
Reply | Post New Message
Search Archives


Subject: Detecting dDoS?
From: Måns Nilsson <[log in to unmask]>
Reply-To:Network management discussion for Nordic region <[log in to unmask]>
Date:Mon, 8 Apr 2002 20:07:35 +0200
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (31 lines)


Has anyone thought about detecting DoS attacks by measuring the packets per
second counter and continously comparing measurements, to be able to detect
rapid changes?

Something like this, in quasi-code:

diff_constant=10

while true;
        poll_counter > $new_value
        store_database "$new_value, $timestamp"
        get_database "$counter_value @ $timestamp - 60" > old_value
        old_value_and_then_some=$(($diff_constant*$old_value))
        if [ $new_value -gt $old_value_and_then_some ]
                then sound_alarm
        fi
        sleep 60
done

This is probably too nervous, and prone to "crying wolf" but could probably
be made into something useful, once tuned. Minimum values could probably
benefit (suppose one has a hot standby, like APS, which suddenly goes from
one ping every 10 secs to near full load, because the other path was
backhoed. Instant wolf.)

Pointers as to why if I'm barking up the wrong tree would be nice.
--
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.

Back to: Top of Message | Previous Page | Main NORDNOG Page

Permalink



LISTSRV.NORDU.NET

CataList Email List Search Powered by the LISTSERV Email List Manager