cflowd
What can we do with the data?
Monitor our OC-3 ingress link for potential attack precursors,
- e.g. RPC portmap requests, host sweeps, port sweeps, ...
Perform traffic anomaly detection,
- fuzzy-matching
- correlation analysis
Link layer tracing,
- forged-source DoS attacks (remember, metrics can be persistent)
- network bridging identification
- yes, there is the issue of interrealm trust. It's workable
on a small scale. Others are working on the generic scalable
solutions.
