Hi ntop team, I have a couple of nProbe questions for you:
We had an incident where a badly behaved host increased the number of flow
records being generated by nProbe by a factor of 10 and really stressed our
downstream processing. I ended up restarting our nProbe processes with an
added *--black-list x.x.x.x/32* option to ignore that host. That led me to
wonder, is there any way to dynamically change the blacklist configuration
so that in the future I could add a host or network without having to
restart nProbe? Doing so without restarting would be preferable since
restarting will result in some data loss across all the monitored traffic.
I didn't see anything in the documentation, but thought it would be worth
checking here.
On a related note, I wonder about the --max-num-flows option which limits
the number of active flows in the case of DoS, etc. In the event that the
maximum number of flows is exceeded, what flows will get discarded? Any
new flows above the limit, or is there a more selective algorithm?
Thank you!
Peter
We had an incident where a badly behaved host increased the number of flow
records being generated by nProbe by a factor of 10 and really stressed our
downstream processing. I ended up restarting our nProbe processes with an
added *--black-list x.x.x.x/32* option to ignore that host. That led me to
wonder, is there any way to dynamically change the blacklist configuration
so that in the future I could add a host or network without having to
restart nProbe? Doing so without restarting would be preferable since
restarting will result in some data loss across all the monitored traffic.
I didn't see anything in the documentation, but thought it would be worth
checking here.
On a related note, I wonder about the --max-num-flows option which limits
the number of active flows in the case of DoS, etc. In the event that the
maximum number of flows is exceeded, what flows will get discarded? Any
new flows above the limit, or is there a more selective algorithm?
Thank you!
Peter