IDS/DDOS prevention hardware that doesnt cost $80,000+?

I’m wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren’t any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we’re seeing are just a huge influx of PPS not so much the amount of bandwidth.

Offlist to keep chatter low is fine with me.

Sorry to be a bother,

-D

Any firewall/router that supports ratelimiting should suffice for most DDoS mitigation tactics. A program called snort (layer 7 content filtering) should take care of
most of your IDS needs as well.

"Drew Weaver" drew.weaver@thenap.com
Sent by: owner-nanog@merit.edu

05/25/2005 10:45 AM

To
nanog@merit.edu

cc

Subject
IDS/DDOS prevention hardware that doesnt cost $80,000+?

I’m wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren’t any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we’re seeing are just a huge influx of PPS not so much the amount of bandwidth.

Offlist to keep chatter low is fine with me.

Sorry to be a bother,

-D

I presume you're already graphing/collecting the pps data on
your interfaces?

  You may want to figure out what your normal p95 pps rate is
then configure some snmp system to watch the ifc counters.

  you could use something like this:

http://sysmon.org/config.html#snmpTestRate

  you of course need to have some underlying snmp data
collection going on, but for watching for traffic bursts or other
types of things (pps or not), there are some free/like-free tools
out there.

  Maybe you have some programmers at your place
that can spend a few hours writing some system that would watch
netflow data.. the spec is public here:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm

  you need to know how to interpret the data, which is why it may
be worthwhile to just pay someone for a system that has already
done it (the analysis) for you..

  - Jared

Cisco routers and switches export network accounting information
you can write a software that reads these flows and report to you who is the Top Talker/DDoS
or you can get an open-source one (flow-tools, ntop,…)
or you can buy one (Arbor, lancope, crannog,…)

I'm not sure if I should keep quiet or ... what the heck.

FWIW, we're finalising prototypes of a system that may meet your needs.
It consists of a central control unit and one or more intelligent filter
units you place strategically in your network (you typically want
to filter as close as possible to your ingress points). The general
functionality is that when you detect (by whatever means you choose,
we don't do any intrusion/"cold" detection) an attack on one or more
targets inside your network, you redirect traffic to the filter(s) (this
is done using BGP updates from the control unit, but let's not go into
more details right now), which then deploy a unique and highly innovative
method (patent pending) for identifying and filtering out the attack
traffic, while letting bona fide traffic through unhindered. An upcoming
revision will support explicit ACLs (ie, black- and white-listing of
traffic sources) for you to upload if you have tools that generate those,
as well as various traffic control functions. There will also be
strong profiling and offline analysis support, and hopefully some nifty
graphical tools.

The basic filter unit has a capacity of about 1 million pps, and comes as
standard with a gigabit ethernet interface (1 Mpps translates roughly to a
fully loaded Gbit ethernet at minimum frame size). Beware of people that
quote capacity in bps rather than pps; dumb bits beyond the packet header
don't cost anything to transport, so you can quote enormous capacities
if you envisage an attack with large packets. But you probably knew that
already. Physically it's a rackmount 1U box with some very noisy fans
(machine room placement only). USD pricing is TBD but will be very
interesting.

Let me know if you're interested, and I'll get in touch when we're
closer to real production, which isn't far away (a couple of months).

Best,

  -- Per

(snip)...which then deploy a unique and highly innovative
method (patent pending) for identifying and filtering out the attack
traffic, while letting bona fide traffic through unhindered. ...(snip)

well, that is the important part. there are plenty of off the shelf
tools that allow someone to gather and analyze pertinent network data;
the most important, and consequently most difficult, part is
differentiating the good from the bad. I'm not aware of any
free/open/cheap tools that go beyond the basic "your <insert metric

has exceeded the baseline" alert.

aaron.glenn