You could do SQC with FastNetMon. We have per subnet / per host and per protocol counters. We are working on multi 100GE mode very well :)
On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai <raf...@gav.ufsc.br> wrote: > Has anyone tried to implement real-time SQC in their network? You can > calculate summary statistics and use math to determine if traffic is > "normal" or if there's a chance it's garbage. You won't be able to notice > one-off attacks, but anything that repeats enough times should pop up. > Facebook uses similar technology to figure out what kind of useless news to > display on your feed. > > In summary, instead of blocking an entire country, we should be able to > analyze traffic as it comes, and determine a DDoS attack without human > intervention. > > On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <ja...@puck.nether.net> wrote: > >> On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote: >> > >> > DNS is still largely UDP. >> >> Water is also still wet :) - but you may not be doing 10% of your >> links as UDP/53. >> >> DNS can also use TCP as well, including sending more than one >> query in a pipelined fashion. >> >> The challenge that Cameron is trying to document here >> is when seeing large volumes of UDP it becomes necessary to do >> something to keep the network up. This response is frustrating for those >> of us who prefer to have a unfiltered e2e network but maintaining >> the network as up in the face of these adverse conditions is important. >> >> - Jared >> >> > >> > --Curtis >> > >> > On 7/20/2015 5:40 PM, Ca By wrote: >> > >Folks, it may be time to take the next step and admit that UDP is too >> > >broken to support >> > > >> > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00 >> > > >> > >Your comments have been requested >> > > >> > > >> > > >> > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.wea...@thenap.com> >> wrote: >> > > >> > >>Has anyone else seen a massive amount of illegitimate UDP 1720 traffic >> > >>coming from China being sent towards IP addresses which provide VoIP >> > >>services? >> > >> >> > >>I'm talking in the 20-30Gbps range? >> > >> >> > >>The first incident was yesterday at around 13:00 EST, the second >> incident >> > >>was today at 09:00 EST. >> > >> >> > >>I'm assuming this is just another DDoS like all others, but I would be >> > >>interested to hear if I am not the only one seeing this. >> > >> >> > >>On list or off-list is fine. >> > >> >> > >>Thanks, >> > >>-Drew >> > >> >> > >> >> > >> > -- >> > Best Regards >> > Curtis Maurand >> > Principal >> > Xyonet Web Hosting >> > mailto:cmaur...@xyonet.com >> > http://www.xyonet.com >> >> -- >> Jared Mauch | pgp key available via finger from ja...@puck.nether.net >> clue++; | http://puck.nether.net/~jared/ My statements are only >> mine. >> -- Sincerely yours, Pavel Odintsov
