Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DDOS detector - sflow question

Posted on 2014-12-10
5
Medium Priority
?
197 Views
Last Modified: 2015-04-07
1. Our network has some rules which block  spoof traffic to the outside but we can not block flood traffics with real ip addresses .
2. Some type of DDOS traffics could not be blocked from our firewalls which is in front of the our router.

we want to follow sflow and if an ip on both ways (inbound and outbound ) has too much traffic then we want to be informed immediately and if an ip has more then too much traffic :) then we want to let it block directly automatically

is there any software like this
0
Comment
Question by:FireBall
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40491821
flow-tools with sflowtool is what i use for sflow traffic.  you can install ntop for a graphical display of utilization.
0
 

Author Comment

by:FireBall
ID: 40491969
we do not like ntop we have build our perl scripts with flow tools but we could not improve it enough it just mail other isps log attacks and do some operations like creating rules on routers for blocking the flooders etc.

but some isps sending mails like that

Dear Sir/Madam,

We have detected abuse from the IP address 178.20.226.48, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET)


Lines from /var/log/auth.log
Dec 10 18:06:29 lin1 sshd[21300]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:29 lin1 sshd[21300]: Invalid user admin from 178.20.226.48 Dec 10 18:06:29 lin1 sshd[21300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 Dec 10 18:06:31 lin1 sshd[21300]: Failed password for invalid user admin from 178.20.226.48 port 59457 ssh2 Dec 10 18:06:32 lin1 sshd[21300]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:33 lin1 sshd[21303]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:33 lin1 sshd[21303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48  user=root Dec 10 18:06:35 lin1 sshd[21303]: Failed password for root from 178.20.226.48 port 60028 ssh2 Dec 10 18:06:35 lin1 sshd[21303]: Received disconnect from 178.20.226.48: 11: Bye Bye [preauth] Dec 10 18:06:36 lin1 sshd[21307]: reverse mapping checking getaddrinfo for 178.20.226.48.salay.com.tr [178.20.226.48] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 18:06:36 lin1 sshd[21307]: Invalid user guest from 178.20.226.48 Dec 10 18:06:36 lin1 sshd[21307]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.20.226.48 

Open in new window



this are pcap results and sending automatically ...etc. we are looking some complete solutions like that
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40491994
Have you checked into blackhole routing?

If you monitored flows and took that data, you should be able to script that to the blackhole on the router (and get data for an automated email).

I've read about FastNetMon but do not use it.  The only question that came up regarding any type of automated packet suppression was "what is your customer IPs were being spoofed?".
0
 

Author Comment

by:FireBall
ID: 40491997
that is our customer's ip address mentioned in the email , we want to log in attack time as that and send a copy to customer an other copy to owner isp of the email address actually we do half of it but we could not capture packets as this instead of developing this we are looking for ready to use tool

which has maybe other capabilities like network discovery , statics , logs, snmp , ip traffic monitor , logging history , router automation ...etc
0
 

Author Closing Comment

by:FireBall
ID: 40710813
Thank you
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question