Re: RTBH and Flowspec Measurements - Stop guessing when the attack will over

[Douglas Fischer <fischerdouglas () gmail com>]

OK, but do you know any company the sells de Flowspec as a service, in the
way that the Attack Identifications are not made by their equipment, just
receiving de BGP-FlowSpec and applying that rules on that equipments... And
even then give back to the customer some way to access those statistics?

I just know one or two that do that, and(sadly) they do it on fancy web
reports or PDFs.
Without any chance of using that as structured data do feedback the
anomaly detection tools to determine if already it is the time to remove
that Flowsperc rule.

What I'm looking for is something like:
A) XML/JSON/CSV files streamed to my equipment from the Flowspec Upstream
Equipments saying "Heepend that, that, and that." Almost in real time.
B) NetFlow/IPFIX/SFlow streamed to my equipment from the Upstream
Equipment, restricted to the DST-Address that matches to the IP blocks that
were involved to the Flowspec or RTBH that I Annouced to then.
C) Any other idea that does the job of gives me the visibility of what is
happening with FlowSpec-rules, or RTBH on theyr network.



Em seg., 1 de fev. de 2021 às 22:07, Dobbins, Roland <
Roland.Dobbins () netscout com> escreveu:

> On Feb 2, 2021, at 00:34, Douglas Fischer <fischerdouglas () gmail com>
> wrote:
>
>
> Or even know if already there is a solution to that and I'm trying to
> invent the wheel.
>
>
> Many flow telemetry export implementations on routers/layer3 switches
> report both passed & dropped traffic on a continuous basis for DDoS
> detection/classification/traceback.
>
> It's also possible to combine the detection/classification/traceback &
> flowspec trigger functions.
>
> [Full disclosure: I work for a vendor of such systems.]
>
> --------------------------------------------
>
> Roland Dobbins <roland.dobbins () netscout com>


-- 
Douglas Fernando Fischer
Engº de Controle e Automação