Solved

DDOS detector - sflow question

Posted on 2014-12-10
5
148 Views
Last Modified: 2015-04-07
1. Our network has some rules which block  spoof traffic to the outside but we can not block flood traffics with real ip addresses .
2. Some type of DDOS traffics could not be blocked from our firewalls which is in front of the our router.

we want to follow sflow and if an ip on both ways (inbound and outbound ) has too much traffic then we want to be informed immediately and if an ip has more then too much traffic :) then we want to let it block directly automatically

is there any software like this
0
Comment
Question by:Cahit Eyigunlu
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40491821
flow-tools with sflowtool is what i use for sflow traffic.  you can install ntop for a graphical display of utilization.
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491969
we do not like ntop we have build our perl scripts with flow tools but we could not improve it enough it just mail other isps log attacks and do some operations like creating rules on routers for blocking the flooders etc.

but some isps sending mails like that

Dear Sir/Madam,

We have detected abuse from the IP address 178.20.226.48, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET)


Lines from /var/log/auth.log
Dec 10 18:06:29 lin1 sshd[21300]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:29 lin1 sshd[21300]: Invalid user admin from 178.20.226.48 Dec 10 18:06:29 lin1 sshd[21300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 Dec 10 18:06:31 lin1 sshd[21300]: Failed password for invalid user admin from 178.20.226.48 port 59457 ssh2 Dec 10 18:06:32 lin1 sshd[21300]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:33 lin1 sshd[21303]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:33 lin1 sshd[21303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48  user=root Dec 10 18:06:35 lin1 sshd[21303]: Failed password for root from 178.20.226.48 port 60028 ssh2 Dec 10 18:06:35 lin1 sshd[21303]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:36 lin1 sshd[21307]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:36 lin1 sshd[21307]: Invalid user guest from 178.20.226.48 Dec 10 18:06:36 lin1 sshd[21307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 

Open in new window



this are pcap results and sending automatically ...etc. we are looking some complete solutions like that
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40491994
Have you checked into blackhole routing?

If you monitored flows and took that data, you should be able to script that to the blackhole on the router (and get data for an automated email).

I've read about FastNetMon but do not use it.  The only question that came up regarding any type of automated packet suppression was "what is your customer IPs were being spoofed?".
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491997
that is our customer's ip address mentioned in the email , we want to log in attack time as that and send a copy to customer an other copy to owner isp of the email address actually we do half of it but we could not capture packets as this instead of developing this we are looking for ready to use tool

which has maybe other capabilities like network discovery , statics , logs, snmp , ip traffic monitor , logging history , router automation ...etc
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40710813
Thank you
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now