Hi Thomas,
Interesting timing - we've also been seeing a big increase in the same
over the last few weeks, mainly targeting schools from automated (&
cheap!) online 'booter' services (presumably instigated by students who
have had enough of their IT lessons). We've also been forced to script
something similar to analyse flows each minute and advertise blackholes
upstream in an automated fashion in order to react quicker. I found
that the complexity (and the bit I imagine the paid mitigation services
spend a lot of their R&D on) is the 'analysis' part to reliably detect.
I found it easy enough for some of the simple attacks hitting us
though. Our scripted version is very specific to the way we're set up
so it wouldn't really translate elsewhere, but I'll be interested to
take a look through your git repo. Alas, I'm no front-end/gui coder
either :)
One thing I did think would be useful while I was doing this, was if
there was an 'open' online IP address reputation database (similar to a
spam reputation db) - I couldn't find one with a quick Google. Seems to
me it wouldn't take much for different providers all analysing flows to
come up with a fairly reliable list of sources for some of this
amplification attack traffic (provided the source isn't spoofed, which
normally amplified stuff wouldn't be). Having that list to use when
determining whether a flow I'm analysing is a DDoS (to use as a
weighting amongst other factors) would help a lot, and could maybe even
be used to drop such traffic in the network based on source rather than
blackholing destinations upstream, provided the network could take the
hit (though getting into a bit of neutrality debate there I guess!)
Regards,
Robin.
On 12/02/14 19:05, Thomas Mangin wrote:
As I have been asked off-line quite a few times :
We wrote it to complement NFSEN. You can only search NFSEN once the data has
been fully analysed.
It mean that most of the time you have to wait a few minutes.
We were seeing 15 mns DDOS, at least twice a day. By the time we had identified
the DDOS pattern, it was off.
This is what prompted the creation of ExaDDOS. Just to be able to see what was
happening in that time and react faster.
Thomas
On 12 Feb 2014, at 16:57, Thomas Mangin <thomas.man...@exa-networks.co.uk>
wrote:
Hello,
Because :
- Exa has been under attack way too much these last weeks
- We hate to have to deal with it
Because:
- Andrisoft seems cool but does not do FlowSpec
- Arbor is known for its price (and features)
- I am from Yorkshire (How much do you pay me to find bugs in your shinny
application ?)
Because:
- We can ...
- And people can not be bothered to fix the problem at source !
I have been working on making our internal tool ( Thank you Daniel ) something
which can be built on and released to the community.
The repository is here: https://github.com/Exa-Networks/exaddos
The code is not even one week old but it can :
- use SNMP to monitor your EBGP interfaces
- parse IPFIX to find your top speakers
- provide you the data in an HORRIBLE web page ( but all the rendering is
client side, so feel free to fix that !)
Now I would love some help ... I am NOT a web designer who find Javascript easy
(I can handle jquery and basic stuff but nice CSS is not my cup of tea), so it
will not look nice unless someone else make it so.
I can provide the underlying data via JSON in whatever way one may need to
allow :
- graphing of links
- allow to drill down on top speakers to find proto / ports information
- "one click" get rid of that DDOS for <IP> <proto>
I did some of this stuff with ExaProxy so I am not totally useless but god
knows it is not my strength !
So any help would be welcome, so I can go back on coding on BGP and not DDOS.
Thomas
PS: I created a G+ community ExaDDOS .. I will try to add a mailing list later
on.