jof at thejof
Apr 3, 2012, 12:34 AM
Post #5 of 7
(541 views)
Permalink
|
|
Re: Best way to detect abnormal traffic without enabling security?
[In reply to]
|
|
On Tue, Apr 3, 2012 at 12:20 AM, Yucong Sun (叶雨飞) <sunyucong [at] gmail> wrote:
> But jflow is not going to work in packet mode, right?
Netflow-like reporting is probably the right way to detect these types
of anomalies in a scalable manner. However, I can't speak to the
performance of it on J-series. I'm guessing that since the state is
probably handled in-memory and with a CPU on that platform (J-series),
that exporting flows will just become another DOS vector.
If you're looking to try and narrow down where the bulk of your
traffic is going in a more stateless manner, consider looking at
"monitor interface traffic" and looking for abnormally high numbers,
or setup a firewall filter that counts term hits. Then, monitor the
counters for the filter and see which terms are getting hit the most.
Alternatively, tap all of your traffic (if it's a J-series, I can't
imagine it's more than 1 - 2 Gbps) and analyze it on another PC. If
you have some upstream or downstream managed switches, this could be
possible.
Using tshark on the command like, I would run something like "tshark
-ni eth0 -z ip_hosts,tree" to get a breakdown from a live capture as
to which IPs are talking the most.
Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp
|
