Is there any way to monitor DoS attacks with SNMP or any other software which based on Linux and could monitor router / switches and alert when a DoS attack is observed?
Asked
Active
Viewed 499 times
2 Answers
1
There most certainly is, though it depends on the nature of the DoS and the instrumentation exposed by SNMP.
- Packets-per-second is a good metric to grab if the device supports it, since many DoS attacks show up as lots of packets attempting to saturate the links ability to track that many items.
- Interface throughput likewise, since another way to DoS is to throw more traffic than the link can handle.
- CPU is another great one, since device-specific DoS attacks can manifest as the router/firewall/switch CPU running out and causing bad things to happen.
Be sure to set above-normal alert threshold in your monitoring package, and you should catch those.
sysadmin1138
- 134,165
0
SNMP is only a tool to retrieve informations, counters, from a device.
Using only snmp, you'll only be able to get traffic flowing through the interfaces, and basic informations such as CPU and RAM usage.
Netflow, on the other hand, is a protocol designed to report flow pattern, and is very useful to detect DoS attacks.
You can combine the two and use a Netflow MIB that will report the top-talkers, and allow you to monitor the ongoing DoS.
petrus
- 5,327