> Has anyone thought about detecting DoS attacks by measuring the packets per
> second counter and continously comparing measurements, to be able to detect
> rapid changes?
We have tried a few approaches, limiting ICMP bandwidht and looking for
packet drops and just trying to pull ICMP packet amount out of the data
Both have turned out to be pretty good to use as debugging tools (as was
noted during the last RIPE meeting...:) ), but as you note - triggering
alarms is trickier as you will see a lot of false ones.
- kurtis -