Solved

DDOS detector - sflow question

Posted on 2014-12-10
5
155 Views
Last Modified: 2015-04-07
1. Our network has some rules which block  spoof traffic to the outside but we can not block flood traffics with real ip addresses .
2. Some type of DDOS traffics could not be blocked from our firewalls which is in front of the our router.

we want to follow sflow and if an ip on both ways (inbound and outbound ) has too much traffic then we want to be informed immediately and if an ip has more then too much traffic :) then we want to let it block directly automatically

is there any software like this
0
Comment
Question by:Cahit Eyigunlu
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40491821
flow-tools with sflowtool is what i use for sflow traffic.  you can install ntop for a graphical display of utilization.
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491969
we do not like ntop we have build our perl scripts with flow tools but we could not improve it enough it just mail other isps log attacks and do some operations like creating rules on routers for blocking the flooders etc.

but some isps sending mails like that

Dear Sir/Madam,

We have detected abuse from the IP address 178.20.226.48, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET)


Lines from /var/log/auth.log
Dec 10 18:06:29 lin1 sshd[21300]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:29 lin1 sshd[21300]: Invalid user admin from 178.20.226.48 Dec 10 18:06:29 lin1 sshd[21300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 Dec 10 18:06:31 lin1 sshd[21300]: Failed password for invalid user admin from 178.20.226.48 port 59457 ssh2 Dec 10 18:06:32 lin1 sshd[21300]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:33 lin1 sshd[21303]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:33 lin1 sshd[21303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48  user=root Dec 10 18:06:35 lin1 sshd[21303]: Failed password for root from 178.20.226.48 port 60028 ssh2 Dec 10 18:06:35 lin1 sshd[21303]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:36 lin1 sshd[21307]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:36 lin1 sshd[21307]: Invalid user guest from 178.20.226.48 Dec 10 18:06:36 lin1 sshd[21307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 

Open in new window



this are pcap results and sending automatically ...etc. we are looking some complete solutions like that
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40491994
Have you checked into blackhole routing?

If you monitored flows and took that data, you should be able to script that to the blackhole on the router (and get data for an automated email).

I've read about FastNetMon but do not use it.  The only question that came up regarding any type of automated packet suppression was "what is your customer IPs were being spoofed?".
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491997
that is our customer's ip address mentioned in the email , we want to log in attack time as that and send a copy to customer an other copy to owner isp of the email address actually we do half of it but we could not capture packets as this instead of developing this we are looking for ready to use tool

which has maybe other capabilities like network discovery , statics , logs, snmp , ip traffic monitor , logging history , router automation ...etc
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40710813
Thank you
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Skype for Business video calls drops 2 61
WLC 5508 controller configuration 4 80
f5 Persistence 14 52
looking for a program or router to monitor internet connection 4 51
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question