RE: automatic rtbh trigger using flow data

2018-08-30 Thread Michel Py
> Aaron Gould wrote : > I'm really surprised that you all are doing this based on source ip, simply > because I thought the distribution of botnet members around > the world we're so extensive that I never really thought it possible to > filter based on sources, if so I'd like to see the list

Re: automatic rtbh trigger using flow data

2018-08-30 Thread Roland Dobbins
On 31 Aug 2018, at 6:47, Aaron Gould wrote: I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really thought it possible to filter based on sources, i Using S/RTBH

Re: automatic rtbh trigger using flow data

2018-08-30 Thread Aaron Gould
I'm really surprised that you all are doing this based on source ip, simply because I thought the distribution of botnet members around the world we're so extensive that I never really thought it possible to filter based on sources, if so I'd like to see the list too Even so, this would not

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Michel Py
> Joe Maimon wrote : > I use a bunch of scripts plus a supervisory sqlite3 database process all > injecting into quagga I have the sqlite part planned, today I'm using a flat file :-( I know :-( > Also aimed at attacker sources. I feed it with honeypots and live servers, > hooked into fail2ban

Re: automatic rtbh trigger using flow data

2018-08-30 Thread Joe Maimon
Michel Py wrote: Aaron Gould wrote : Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use quagga or a script of some sort to interact with a router to advertise to bgp the /32 host route of the victim

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Michel Py
> Aaron Gould wrote : > Thanks, but what if the attacker is many... like thousands ? ...isn't that > typically what we see, is tons and tons of sources (hence distributeddos) > ? At this very moment I blacklist ~ 56,000 individual /32s and historically it has been up to 135,000 at times.

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Ryan Hamel
Exactly Aaron. No provider will allow a customer to null route a source IP address. I could only assume that a null route on Michel's network is tanking the packets at their edge to 192.0.2.1 (discard/null0). -- Ryan Hamel Senior Support Engineer ryan.ha...@quadranet.com | +1 (888) 578-2372

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Aaron Gould
Thanks, but what if the attacker is many... like thousands ? ...isn't that typically what we see, is tons and tons of sources (hence distributeddos) ? -Aaron -Original Message- From: Michel Py [mailto:michel...@tsisemi.com] Sent: Thursday, August 30, 2018 3:17 PM To: Aaron Gould;

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Michel Py
> Aaron Gould wrote : > Hi, does anyone know how to use flow data to trigger a rtbh (remotely > triggered blackhole) route using bgp ? ...I'm thinking we could use > quagga or a script of some sort to interact with a router to advertise to bgp > the /32 host route of the victim under attack.

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Aaron Gould
Wow, 4 replies for fastnetmon, thanks Ryan, Vincente, Job and Kushal I'll look into it -Aaron From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 2:53 PM To: Nanog@nanog.org Subject: automatic rtbh trigger using flow data Hi, does

RE: automatic rtbh trigger using flow data

2018-08-30 Thread Ryan Hamel
There are software that combine your needs altogether. I'm sure there are others. WANGuard from Andrisoft (https://www.andrisoft.com/software/wanguard) Fastnetmon (https://fastnetmon.com/) From: NANOG On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 12:53 PM To: Nanog@nanog.org

Re: automatic rtbh trigger using flow data

2018-08-30 Thread Vicente De Luca
fastnetmon does exactly what you’re looking for. https://fastnetmon.com/ there is also an open source version https://github.com/pavel-odintsov/fastnetmon my best —vicente > On Aug 30, 2018, at 12:52 PM, Aaron Gould

automatic rtbh trigger using flow data

2018-08-30 Thread Aaron Gould
Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? .I'm thinking we could use quagga or a script of some sort to interact with a router to advertise to bgp the /32 host route of the victim under attack. Btw, I already have nfsen

Re: What NMS do you use and why?

2018-08-30 Thread Jon Wolberg
There are many other threads on this topic as well. I can say +1 for check_mk though. On Thu, Aug 30, 2018 at 7:24 AM Faisal Imtiaz wrote: > Having done a full circle on the number of network monitoring packages, > dealing with pro's and con's, we ended up with using Check_mk, moreover >

Re: What NMS do you use and why?

2018-08-30 Thread Andrew Latham
Additionally mention: * https://www.centreon.com/en/solutions/centreon/ Related Tooling: * https://www.cyphon.io/ On Wed, Aug 15, 2018 at 8:51 AM Colton Conor wrote: > We are looking for a new network monitoring system. Since there are so > many operators on this list, I would like to know

Re: What NMS do you use and why?

2018-08-30 Thread Faisal Imtiaz
Having done a full circle on the number of network monitoring packages, dealing with pro's and con's, we ended up with using Check_mk, moreover OMD http://omdisto.org We found (OMD) this to be a very powerful combination of different packages, each can shine for it's own strength and

Re: TekSavvy (Canada) contact

2018-08-30 Thread Paul Stewart
Folks – please do *not* request “clueful neteng point of contact” on the list if you are really looking to place an order for residential service.  Thanks … Paul From: NANOG on behalf of "p...@paulstewart.org" Date: Wednesday, August 29, 2018 at 6:09 PM To: Mike Hammett Cc: