Hi Peter changing them on the fly is not supported. Better if you filter the host with -f so avoid processing packets at all, instead of discarding egress flows
Yes of there is a DoS, flows exceeding the threshold are dropped, this to avoid to DoS also nProbe. What is the algorithm you have in mind exactly? Regards Luca > On 21 Feb 2019, at 01:03, Peter Giles <[email protected]> wrote: > > Hi ntop team, I have a couple of nProbe questions for you: > > We had an incident where a badly behaved host increased the number of flow > records being generated by nProbe by a factor of 10 and really stressed our > downstream processing. I ended up restarting our nProbe processes with an > added --black-list x.x.x.x/32 option to ignore that host. That led me to > wonder, is there any way to dynamically change the blacklist configuration so > that in the future I could add a host or network without having to restart > nProbe? Doing so without restarting would be preferable since restarting will > result in some data loss across all the monitored traffic. I didn't see > anything in the documentation, but thought it would be worth checking here. > > On a related note, I wonder about the --max-num-flows option which limits the > number of active flows in the case of DoS, etc. In the event that the maximum > number of flows is exceeded, what flows will get discarded? Any new flows > above the limit, or is there a more selective algorithm? > > Thank you! > Peter > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
