argus-clients informal survey

Carter Bullard carter at qosient.com
Thu Jun 21 20:33:21 EDT 2001 

Hey Russell, and Chris et.al.,
   Yes, we can do dynamic flow models, and you are absolutely
right, the trick is the trigger states, the watermarks
if you will, that turn on the various model changes.  My
thinking would be to do it on a per host basis, rather
than the whole modeler, as that seems to be a generality
of the actual attack strategy for DOS.  (I really get a kick
out of the fact that DOS is a really bad thing now.  I
always thought DOS was evil, even when it only ran on PC's ;o)

   I still have to think about some stuff before I put
in a few hooks for this, but I'll have something in 2.0.2.beta.3
that will help.

   If working on this issue is the #1 thing to do, then
I can pay some attention to it.  I do think however, that
I need to pay some serious attention to making argus easy
to use.  I really do need some help in this area.


Carter
 
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


   

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Thursday, June 21, 2001 6:07 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: RE: argus-clients informal survey
> 
> 
> 
> On Thu, 21 Jun 2001 14:00:25 -0300 Chris Newton <newton at unb.ca> wrote:
> 
> > 190,000 flows in 30 seconds.  Basically, every packet sent by these 
> > two remote
> > goofs, became a flow to argus.  If this one 'issue' could 
> be resolved, I 
> > believe Argus could survive quite well on large links.
> 
> The way NeTraMet (to give it it's propper capitalization ;-) 
> deals with 
> this is to have an 'fall back rule set' and settable 'high water 
> mark'.  Once the number of flows passes the 'high water mark' 
> netramet 
> changes to the fallback ruleset.  For our campus accounting this 
> involves dumping the remote address completely so that we 
> have just one 
> flow per local address.  Now netramet is rather a different beast to 
> argus and I am not sure if this concept can be adapted but it 
> is worth 
> a though. 
> 
> [before you ask there is also a 'low water mark' that sets the point 
> where the meter flips back to the normal ruleset]
> 
> The question is what information could argus discard that 
> would reduce 
> the numbre of flows in these sorts of circumstances?  In your 
> particular attacks aggregation the destination address and 
> ports would 
> do the trick.
> 
> Carter is the flow aggregation working in the server now?  I know you 
> planned to do it.  If so the netramet model would work 
> without change, 
> when the meter gets stressed you swap to an alternative flow model.  
> What would be really neat would be able to say "For source IP 
> addresses 
> with over X active flows aggregate their destination peer and port 
> addresses.
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
>

More information about the argus mailing list