10 May
2017
10 May
'17
12:03 p.m.
On Tue, May 9, 2017 at 9:40 PM, Brian Kantor <Brian(a)ucsd.edu> wrote:
What this does is give you a list of addrsses that
sent you more than
1000 packets in the sample period.
...
# sample incoming traffic, 100,000,000 incoming
packets
# during DDoS storm on a /8, this takes about 3 minutes
time tcpdump -w /tmp/t.pcap -s 40 -c 100000000
If I'm reading this right, the "unacceptable" level of usage of amprgw
is 5pps (1000 packets / 180 seconds), or a maximum of about 8 KB/s
assuming 1480 bytes/packet. This seems extremely low. I bet two
simultaneous Allstar link (VoIP) conversations could get your address
blocked.
Just now, it took 287 seconds to gather 100 million
packets, comprising
Worse, in periods of lower traffic, it will take longer to collect
100000000 packets, so the allowed pps goes down. If 1000 packets per
287 seconds is the new threshold, hosts sending 3.5pps (max 5 KB/s)
through amprgw will be blocked. This is a fatal flaw in the system
because it can cause runaway--the more hosts blocked, the longer it
will take to collect 100 million packets, continually decreasing the
allowed pps.
Surely there will be some false positives with this threshold.
Tom KD7LXL