• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

DDOS detector - sflow question

1. Our network has some rules which block  spoof traffic to the outside but we can not block flood traffics with real ip addresses .
2. Some type of DDOS traffics could not be blocked from our firewalls which is in front of the our router.

we want to follow sflow and if an ip on both ways (inbound and outbound ) has too much traffic then we want to be informed immediately and if an ip has more then too much traffic :) then we want to let it block directly automatically

is there any software like this
0
FireBall
Asked:
FireBall
  • 3
  • 2
1 Solution
 
Jan SpringerCommented:
flow-tools with sflowtool is what i use for sflow traffic.  you can install ntop for a graphical display of utilization.
0
 
FireBallITAuthor Commented:
we do not like ntop we have build our perl scripts with flow tools but we could not improve it enough it just mail other isps log attacks and do some operations like creating rules on routers for blocking the flooders etc.

but some isps sending mails like that

Dear Sir/Madam,

We have detected abuse from the IP address 178.20.226.48, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET)


Lines from /var/log/auth.log
Dec 10 18:06:29 lin1 sshd[21300]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:29 lin1 sshd[21300]: Invalid user admin from 178.20.226.48 Dec 10 18:06:29 lin1 sshd[21300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 Dec 10 18:06:31 lin1 sshd[21300]: Failed password for invalid user admin from 178.20.226.48 port 59457 ssh2 Dec 10 18:06:32 lin1 sshd[21300]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:33 lin1 sshd[21303]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:33 lin1 sshd[21303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48  user=root Dec 10 18:06:35 lin1 sshd[21303]: Failed password for root from 178.20.226.48 port 60028 ssh2 Dec 10 18:06:35 lin1 sshd[21303]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:36 lin1 sshd[21307]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:36 lin1 sshd[21307]: Invalid user guest from 178.20.226.48 Dec 10 18:06:36 lin1 sshd[21307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 

Open in new window



this are pcap results and sending automatically ...etc. we are looking some complete solutions like that
0
 
Jan SpringerCommented:
Have you checked into blackhole routing?

If you monitored flows and took that data, you should be able to script that to the blackhole on the router (and get data for an automated email).

I've read about FastNetMon but do not use it.  The only question that came up regarding any type of automated packet suppression was "what is your customer IPs were being spoofed?".
0
 
FireBallITAuthor Commented:
that is our customer's ip address mentioned in the email , we want to log in attack time as that and send a copy to customer an other copy to owner isp of the email address actually we do half of it but we could not capture packets as this instead of developing this we are looking for ready to use tool

which has maybe other capabilities like network discovery , statics , logs, snmp , ip traffic monitor , logging history , router automation ...etc
0
 
FireBallITAuthor Commented:
Thank you
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now