Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
NetFlow Or sFlow For Fastest DDoS Detection?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RetiredUser
50%
50%
RetiredUser,
 User Rank: Ninja
1/28/2016 | 10:27:54 AM
Re: SLAC List of Network (both LAN and WAN) Monitoring Tools
I think the value of that list as a general reference is more historical and evolutionary in nature.  For what folks prefer, SANS Institute papers and any one of the reputable security news websites (DR comes to mind) will have a breakdown of what is currently in popular use (or not popular, but recommended by respected InfoSec engineers).
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/27/2016 | 10:37:40 AM
Re: SLAC List of Network (both LAN and WAN) Monitoring Tools
"... you search Stanford(dot)edu for "Monitoring Tools" you'll quickly find it." I like open source option. I just checked it there are two many of them. Is there not any outstanding people use most often than others?
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/27/2016 | 10:31:51 AM
Re: NetFlow vs SFlow
"Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard"

Ok. This answers my previous question. Makes sense.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/27/2016 | 10:30:29 AM
Re: Neither of the two for enterprices
"To me an inline DDOS solution that can inspect each and every packet up to the max. bandwidth of the environment is a much better solution. .."

That makes sense, what comes to my mind how this would impact the overall network performance.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/27/2016 | 10:27:36 AM
Re: NetFlow vs SFlow
"My experience with either NetFlow or SFlow has been extremely poor with all the Sonicwall NSA series firewalls. .." Is this about Sonicwall I wonder?
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
1/27/2016 | 10:25:19 AM
DDoS Detection?
Thanks, nice article, enjoyed reading it. It is sad that all we can talk about detection.
RetiredUser
50%
50%
RetiredUser,
 User Rank: Ninja
1/26/2016 | 11:21:50 PM
SLAC List of Network (both LAN and WAN) Monitoring Tools
I've only ever used Free and Open Source (FOSS) NMTs, and NetFlow and sFlow were never in my list of apps to review.  However, there are a large number of them out there and I highly encourage people seriously researching what is best for them to take a trip to the SLAC (Stanford Linear Accelerator Center) list of Network (both LAN and WAN) Monitoring Tools.  I've referenced this page for years and there is a nicely organized format ordered by year from 1996 to 2015 (as of my last visit) of over a hundred app, most with live links to the project pages.  I can't add the URL here, but if you search Stanford(dot)edu for "Monitoring Tools" you'll quickly find it.

Now, toward the question, I don't have to have used either to have an opinion; just based on experience with many of the soft solutions out there, I knew I wanted something more.  If you are attacking any major network analysis project, in-line monitoring is the only way to go.  Google it for plenty of good information on in-line bandwidth meters and network interface chips.  I've seen maker projects that built inexpensive in-line setups that would serve the purpose functionally, if not attractively!  Remember, full-duplex is ubiquitous...  Spend wisely and your network tap could become your best friend.    
MikeK103
50%
50%
MikeK103,
 User Rank: Apprentice
1/26/2016 | 8:30:15 PM
Re: NetFlow vs SFlow
Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard. It is fully compliant with the IPFIX standard. V9 is the precursor to the standard and has been the "de facto standard", but is missing some features like enterprise elements and variable length strings. Initially the exports did not have a proper active timeout, but this has since been remedied in more recent releases. This is NOT a limitation from sonicwall. This is a limitation of the collector you are using. Plixer's Scrutinizer fully supports all Sonicwall IPFIX exports and provides accurate bandwidth and L7 DPI reporting. Any collector that supports their enterprise elements should be accurate. As far as I know, Plixer is the only one with full support... This is the case with many IPFIX exports from other vendors as well. Full disclosure, I work for Plixer. If you have any questions, call Plixer and ask for me "mike k" and I'd be happy to go over it.
MikeK103
50%
50%
MikeK103,
 User Rank: Apprentice
1/26/2016 | 8:30:06 PM
Re: NetFlow vs SFlow
Sonicwall NSA does not support sFlow or even "netflow". It supports IPFIX, which is the IETF Standard. It is fully compliant with the IPFIX standard. V9 is the precursor to the standard and has been the "de facto standard", but is missing some features like enterprise elements and variable length strings. Initially the exports did not have a proper active timeout, but this has since been remedied in more recent releases. This is NOT a limitation from sonicwall. This is a limitation of the collector you are using. Plixer's Scrutinizer fully supports all Sonicwall IPFIX exports and provides accurate bandwidth and L7 DPI reporting. Any collector that supports their enterprise elements should be accurate. As far as I know, Plixer is the only one with full support... This is the case with many IPFIX exports from other vendors as well. Full disclosure, I work for Plixer. If you have any questions, call Plixer and ask for me "mike k" and I'd be happy to go over it.
mduijm
50%
50%
mduijm,
 User Rank: Apprentice
1/26/2016 | 1:26:29 PM
Neither of the two for enterprices
My experience with DDOS attacks so far is that the detection of SFLOW or NetFlow + the time to redirect the traffic to a cloud based solution is way too long for the environment to sustain, making the DDOS effective immediatly.


To me an inline DDOS solution that can inspect each and every packet up to the max. bandwidth of the environment is a much better solution. This is fast (< 5 sec. detection and blocking). When the attack becomes bigger then you can think of redirection of traffic into the cloud for mitigation over there. Some DDOS cloud providers now offer API's for on-premise DDOS boxes to send them an alert. Then they can start the redirection of traffic towards the cloud.

My believe this is the way forward for Enterprises and smaller ISP's to move forward. For bigger ISP's and Carriers I guess the above story is true.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation &quot;.roa&quot; files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the &quot;Forget password&quot; feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.