I am interested in the metrics of the attack. Is there any packet rate that can be considered a reasonable threshold to detect this attack from traffic perspective? Or this is completely connected to the limits of the hardware?
Asked
Active
Viewed 116 times
0
-
1Context is very important. You want to detect ***anomalies*** in the context. – schroeder Mar 12 '20 at 10:10
-
By context you mean the setup? Or the type of traffic? What I had in mind was the detection of different macs in the packets and consider a rate. For example if you see 100 different macs in traffic in less than 2 seconds (out of my mind), then trigger an alert. – ystv Mar 12 '20 at 10:21
-
1I mean "what's normal and expected" for that setup, traffic types, and nodes. Setting hard metrics depends on the context. It's better to do anomaly detection from baseline. – schroeder Mar 12 '20 at 10:23
-
Makes sense. If we know the number of possible system (online and systems that are offline but can go online), can we use that number as an approximation? – ystv Mar 12 '20 at 10:42