Re: PoC for shortlisted DDoS Vendors

[Pavel Odintsov <pavel.odintsov () gmail com>]

Hello!

Yes, my toolkit can detect only volumetric attacks now. But I have finished
performance tests for http protocol parser which could work on wire speed
too. And I'm sure I will add support for http attack detection soon.

Btw, syn flood attack detection could be implemented in few hours in
current code base. If anyone interested in it I will do it shortly.

In my day to day work we got fewbattacks everyday.

They divided 50/50 for dns/ssdp/snmp amplification and syn flood on http
servers.

Other attacks is not dangerous for our network and backbone and mitifated
manually in each case.


On Thursday, April 2, 2015, Mohamed Kamal <mkamal () noor net> wrote:

>  Hello Pavel,
>
> I'm certainly biased to the open-source tools if they do the job required,
> and I appreciate your effort exerted on this project. However, based upon
> what I saw under the "features" list of your tool, I assume that it can
> detect only volumetric DDoS attacks based upon anomalies such as excessive
> number of packets/bits/connections/flows per second based upon some
> previously learnt or set threshold values.
>
> But what about the protocol types of attack, which, in my humble opinion
> is becoming more aggressive day after day?
>
> Mohamed Kamal
> Core Network Sr. Engineer
>
> On 4/2/2015 5:03 PM, Pavel Odintsov wrote:
>
> Hello!
>
>  What about open source alternatives? Main part of commercial ddos
> filters are simple high performace firewalls with detection logic (which
> much times more stupid than well trained network engineer).
>
>  But attacks for ISP is not arrived so iften and detection part coukd be
> executed manually (or with oss tools like netflow analyzers or my own
> FastNetMon toolkit).
>
>  For wire speed filtration on 10ge (and even more if you have modern cpu;
> up to 40ge) you could use netmap-ipfw with linux or freebsd with simple
> patches (for enabling multy process mode).
>
> On Thursday, April 2, 2015, dennis () justipit com
> <javascript:_e(%7B%7D,'cvml','dennis () justipit com');> <dennis () justipit com
> <javascript:_e(%7B%7D,'cvml','dennis () justipit com');>> wrote:
>
> > You should include Radware on that list .
> >
> > ----- Reply message -----
> > From: "Mohamed Kamal" <mkamal () noor net>
> > To: "NANOG" <nanog () nanog org>
> > Subject: PoC for shortlisted DDoS Vendors
> > Date: Wed, Apr 1, 2015 9:51 AM
> >
> > In our effort to pick up a reasonably priced DDoS appliance with a
> > competitive features, we're in a process of doing a PoC for the
> > following shortlisted vendors:
> >
> > 1- RioRey
> > 2- NSFocus
> > 3- Arbor
> > 4- A10
> >
> > The setup will be inline. So it would be great if anyone have done this
> > before and can help provide the appropriate tools, advices, or the
> > testing documents for efficient PoC.
> >
> > Thanks.
> >
> > --
> > Mohamed Kamal
> > Core Network Sr. Engineer
>
>
>
> --
> Sincerely yours, Pavel Odintsov

-- 
Sincerely yours, Pavel Odintsov