Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

Best way to detect abnormal traffic without enabling security?

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


sunyucong at gmail

Mar 30, 2012, 9:50 PM

Post #1 of 7 (1035 views)
Permalink
Best way to detect abnormal traffic without enabling security?

Hi,

I am currently using a pair of J2350 exporting about 200+ /32 BGP
route to my peer, and I'm been hit by DDOS several times, the hardest
part for me is to figure out which IP was getting the DDOS and
deactivate that route, which will de-announce that route to my peer.

However I have no established method right now to figure out which IP
is getting DDOSed, so I am hoping somebody can pass along some
sampling or dump method to quickly identify toublesome dst ip.

Thanks!
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sunyucong at gmail

Apr 2, 2012, 2:32 PM

Post #2 of 7 (984 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

Bumping...Any help is appreciated!

On Fri, Mar 30, 2012 at 9:50 PM, Yucong Sun (叶雨飞) <sunyucong [at] gmail>wrote:

> Hi,
>
> I am currently using a pair of J2350 exporting about 200+ /32 BGP
> route to my peer, and I'm been hit by DDOS several times, the hardest
> part for me is to figure out which IP was getting the DDOS and
> deactivate that route, which will de-announce that route to my peer.
>
> However I have no established method right now to figure out which IP
> is getting DDOSed, so I am hoping somebody can pass along some
> sampling or dump method to quickly identify toublesome dst ip.
>
> Thanks!
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sunyucong at gmail

Apr 3, 2012, 12:20 AM

Post #3 of 7 (965 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

But jflow is not going to work in packet mode, right?

On Tue, Apr 3, 2012 at 12:15 AM, Per Granath <per.granath [at] gcc> wrote:
> Netflow/jflow should be useful to you.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB12512
>
> Have a look at some free collectors that will analyze the output, or consider Juniper STRM if you are running firewalling on the box too.
>
>
>> > I am currently using a pair of J2350 exporting about 200+ /32 BGP
>> > route  to my peer, and I'm been hit by DDOS several times, the hardest
>> > part for me is to figure out which IP was getting the DDOS and
>> > deactivate that route, which will de-announce that route to my peer.
>> >
>> > However I have no established method right now to figure out which IP
>> > is getting DDOSed, so I am hoping somebody can pass along some
>> > sampling or dump method to quickly identify toublesome dst ip.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


per.granath at gcc

Apr 3, 2012, 12:28 AM

Post #4 of 7 (965 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

I do not see why it would not work in packet mode.
It works on the routing platforms (MX, etc) that do not support "flow mode".

> But jflow is not going to work in packet mode, right?
>
> On Tue, Apr 3, 2012 at 12:15 AM, Per Granath <per.granath [at] gcc>
> wrote:
> > Netflow/jflow should be useful to you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jof at thejof

Apr 3, 2012, 12:34 AM

Post #5 of 7 (973 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

On Tue, Apr 3, 2012 at 12:20 AM, Yucong Sun (叶雨飞) <sunyucong [at] gmail> wrote:
> But jflow is not going to work in packet mode, right?

Netflow-like reporting is probably the right way to detect these types
of anomalies in a scalable manner. However, I can't speak to the
performance of it on J-series. I'm guessing that since the state is
probably handled in-memory and with a CPU on that platform (J-series),
that exporting flows will just become another DOS vector.

If you're looking to try and narrow down where the bulk of your
traffic is going in a more stateless manner, consider looking at
"monitor interface traffic" and looking for abnormally high numbers,
or setup a firewall filter that counts term hits. Then, monitor the
counters for the filter and see which terms are getting hit the most.


Alternatively, tap all of your traffic (if it's a J-series, I can't
imagine it's more than 1 - 2 Gbps) and analyze it on another PC. If
you have some upstream or downstream managed switches, this could be
possible.
Using tshark on the command like, I would run something like "tshark
-ni eth0 -z ip_hosts,tree" to get a breakdown from a live capture as
to which IPs are talking the most.

Cheers,
jof

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


mark at amplex

Sep 8, 2012, 5:28 AM

Post #6 of 7 (771 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

My suggestion would be a managed Ethernet switch on whichever side of
the J2350 that you can put it with a SPAN port to dump traffic to
Wireshark. It should be fairly easy to spot the offending traffic.

Mark


On 3/31/12 12:50 AM, Yucong Sun (叶雨飞) wrote:
> Hi,
>
> I am currently using a pair of J2350 exporting about 200+ /32 BGP
> route to my peer, and I'm been hit by DDOS several times, the hardest
> part for me is to figure out which IP was getting the DDOS and
> deactivate that route, which will de-announce that route to my peer.
>
> However I have no established method right now to figure out which IP
> is getting DDOSed, so I am hoping somebody can pass along some
> sampling or dump method to quickly identify toublesome dst ip.
>
> Thanks!
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp


--
Mark Radabaugh
Amplex

mark [at] amplex 419.837.5015

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


xmin0s at gmail

Sep 8, 2012, 9:53 AM

Post #7 of 7 (780 views)
Permalink
Re: Best way to detect abnormal traffic without enabling security? [In reply to]

Additionally Netflow/jflow sampling would provide a greater level of insight. Careful with the sampling rate however as you don't want to make the ddos worse...

There are lots of free and paid products that will analyze jflow. Juniper sells a Q1 labs product they call STRM. It does a great job.

Hope this helps,
Tim Eberhard

On Sep 8, 2012, at 7:28 AM, Mark Radabaugh <mark [at] amplex> wrote:

> My suggestion would be a managed Ethernet switch on whichever side of the J2350 that you can put it with a SPAN port to dump traffic to Wireshark. It should be fairly easy to spot the offending traffic.
>
> Mark
>
>
> On 3/31/12 12:50 AM, Yucong Sun (叶雨飞) wrote:
>> Hi,
>>
>> I am currently using a pair of J2350 exporting about 200+ /32 BGP
>> route to my peer, and I'm been hit by DDOS several times, the hardest
>> part for me is to figure out which IP was getting the DDOS and
>> deactivate that route, which will de-announce that route to my peer.
>>
>> However I have no established method right now to figure out which IP
>> is getting DDOSed, so I am hoping somebody can pass along some
>> sampling or dump method to quickly identify toublesome dst ip.
>>
>> Thanks!
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> --
> Mark Radabaugh
> Amplex
>
> mark [at] amplex 419.837.5015
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.