Argus and DDoS detection

Carter Bullard carter at
Thu Sep 22 19:52:30 EDT 2011

Hey Manaf,
argus has been around for a number of years, and has been used for a lot of
DDoS and scanner detection work in the academic literature, and in various
university/corporations security systems.

We provide example programs in the argus-clients distribution, is
an automated scanner detector.  It works off the premise that if a node attempts
to access a dark address (non-existing address) in your address space, more
than likely it is a scanner.   You can tell what the thresholds should be
and it will provide a list of scanners that it thinks it saw in the flow records it reads.

It generally attempts to determine what is dark solely from the traffic that it sees,
so you can be cleaver and tell it what addresses are ' lit ' by seeding it aggregated
flow data from prior days, etc….

the DDoS stuff is pretty straight forward, but several early cyber forensics books
and magazine articles describe using argus for DDoS detection.  I am personally
interested in Degradation of Service, rather than Denial of Service, so I use argus
for that all the time.  Check out the " Publications " section of the argus web site
and there are some specific links that talk just about DDoS detection.


On Sep 22, 2011, at 4:39 PM, manaf gharaibeh wrote:

> Hi,
> Has anyone used argus for DDoS and scanner detection?
> -Manaf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <>

More information about the argus mailing list