Hi,
We run a really heterogeneous network -basically because we offer services to several thousand customers who host with us their infrastructure- we have our own DDOS detection and scrubbing system, which is mainly build for volumetric detection and we also divert traffic via BGP announcement to an external provider for big attacks scrubbing. Basically we have several taps on our network, and traffic is sniffed by machines running iptables with some high performance rules, that are able to detect attacks.
It's running quite well, but as it's basically designed to be a volumetric attack detection system, some small attacks are not really detected because their are under our detection threshold.
These small attacks should be theoretically handled by our customers directly, as they are so small their own infrastructure should not have problems handling them, but I'm trying to anyway improve our own system.
What I always found quite difficult is to find DOS or DDOS attack "definitions". I know for example there is malicious traffic which is quite easy to identify (UDP port 0 or similar) but I've never been able to find kind of "definitions" for DDOS attack detection. I would like to find some "definitions" with things like "hping3 SYNs have the ACK flag set" (unless -L 0 option is used) that would make really easy to write custom rules to detect and block this kind of traffic.
So I'm wondering, what do you use for DOS or DDOS attack detection? And also, is there any kind of definitions out there that could be used to identify most common attack traffic?
Thanks!
No comments:
Post a Comment