Solved

DDOS detector - sflow question

Posted on 2014-12-10
5
144 Views
Last Modified: 2015-04-07
1. Our network has some rules which block  spoof traffic to the outside but we can not block flood traffics with real ip addresses .
2. Some type of DDOS traffics could not be blocked from our firewalls which is in front of the our router.

we want to follow sflow and if an ip on both ways (inbound and outbound ) has too much traffic then we want to be informed immediately and if an ip has more then too much traffic :) then we want to let it block directly automatically

is there any software like this
0
Comment
Question by:Cahit Eyigunlu
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40491821
flow-tools with sflowtool is what i use for sflow traffic.  you can install ntop for a graphical display of utilization.
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491969
we do not like ntop we have build our perl scripts with flow tools but we could not improve it enough it just mail other isps log attacks and do some operations like creating rules on routers for blocking the flooders etc.

but some isps sending mails like that

Dear Sir/Madam,

We have detected abuse from the IP address 178.20.226.48, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET)


Lines from /var/log/auth.log
Dec 10 18:06:29 lin1 sshd[21300]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:29 lin1 sshd[21300]: Invalid user admin from 178.20.226.48 Dec 10 18:06:29 lin1 sshd[21300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 Dec 10 18:06:31 lin1 sshd[21300]: Failed password for invalid user admin from 178.20.226.48 port 59457 ssh2 Dec 10 18:06:32 lin1 sshd[21300]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:33 lin1 sshd[21303]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:33 lin1 sshd[21303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48  user=root Dec 10 18:06:35 lin1 sshd[21303]: Failed password for root from 178.20.226.48 port 60028 ssh2 Dec 10 18:06:35 lin1 sshd[21303]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:36 lin1 sshd[21307]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:36 lin1 sshd[21307]: Invalid user guest from 178.20.226.48 Dec 10 18:06:36 lin1 sshd[21307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 

Open in new window



this are pcap results and sending automatically ...etc. we are looking some complete solutions like that
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40491994
Have you checked into blackhole routing?

If you monitored flows and took that data, you should be able to script that to the blackhole on the router (and get data for an automated email).

I've read about FastNetMon but do not use it.  The only question that came up regarding any type of automated packet suppression was "what is your customer IPs were being spoofed?".
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40491997
that is our customer's ip address mentioned in the email , we want to log in attack time as that and send a copy to customer an other copy to owner isp of the email address actually we do half of it but we could not capture packets as this instead of developing this we are looking for ready to use tool

which has maybe other capabilities like network discovery , statics , logs, snmp , ip traffic monitor , logging history , router automation ...etc
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40710813
Thank you
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now