Has anyone thought about detecting DoS attacks by measuring the packets per
second counter and continously comparing measurements, to be able to detect
Something like this, in quasi-code:
poll_counter > $new_value
store_database "$new_value, $timestamp"
get_database "$counter_value @ $timestamp - 60" > old_value
if [ $new_value -gt $old_value_and_then_some ]
This is probably too nervous, and prone to "crying wolf" but could probably
be made into something useful, once tuned. Minimum values could probably
benefit (suppose one has a hot standby, like APS, which suddenly goes from
one ping every 10 secs to near full load, because the other path was
backhoed. Instant wolf.)
Pointers as to why if I'm barking up the wrong tree would be nice.
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC MN1334-RIPE
We're sysadmins. To us, data is a protocol-overhead.