Re: Linux router traffic monitoring, how? netflow?

2014-11-14 Thread srn . nanog
fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog. For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and flow-cap

Re: Tech Laptop with DB9

2014-11-10 Thread srn . nanog
If USB is banned, ask about expansion cards. The HP 650 G1 has a serial port, but it's not cheap. On 11/10/2014 12:39 PM, Max Clark wrote: > Hi all, > > DB9 ports seem to be a nearly extinct feature on laptops. Any suggestions on > a cheap laptop for use > in field support (with an onboard DB9)

Re: Reporting DDOS reflection attacks

2014-11-09 Thread srn . nanog
On 11/09/2014 09:31 AM, Brian Rak wrote: > Some tips: > 1) Verify the servers are still vulnerable. This is pretty straightforward, > and saves everyone > involved some time For a DDOS, I'd be concerned that the provider would now think my activity was malicious. > 2) Your abuse emails should

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-08 Thread srn . nanog
http://www.andrisoft.com/software/wanguard/ddos-mitigation-protection https://bitbucket.org/tortoiselabs/ddosmon https://github.com/FastVPSEestiOu/fastnetmon I have no idea if any of them actually work. On 11/08/2014 05:10 PM, Eric C. Miller wrote: > Today, we experienced (3) separate DDoS atta

Re: Reporting DDOS reflection attacks

2014-11-08 Thread srn . nanog
On 11/08/2014 03:30 AM, Ruairi Carroll wrote: > Whois data *seems* to be a little more reliable, and there's an abuseEmail > script out there that > helps automate the abuse contact lookup ( http://abuseemail.sourceforge.net/ > ). I believe this script is out of date and I would not use this

Re: Reporting DDOS reflection attacks

2014-11-08 Thread srn . nanog
On 11/07/2014 11:20 PM, Paul Bennett wrote: > On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins wrote: >> >> On 8 Nov 2014, at 1:56, srn.na...@prgmr.com wrote: >> >>> But right now how should we be doing it? >> >> > > Once you get the ASN or at lea

Reporting DDOS reflection attacks

2014-11-07 Thread srn . nanog
Like most small providers, we occasionally get hit by DoS attacks. We got hammered by an SSDP reflection attack (udp port 1900) last week. We took a 27 second log and from there extracted about 160k unique IPs. It is really difficult to find abuse emails for 160k IPs. We know about abuse.net bu