[unisog] registering servers

Tim Eden (te) te at unsw.edu.au
Fri Jul 28 00:04:24 GMT 2006

Hi Peter,

Thanks for the reply, I've read the FAQ on the argus page and also this 
thread which discusses argus performance:

> http://blog.gmane.org/gmane.network.argus/month 040401

But still can't seem to find the info I'm after on performance. Our 
primary link to the Internet peaks at just over 100 Mbit/sec in plus 50 
Mbit/sec out and 15,000 packets/sec in both directions. Averages for a 
24 hour period are around 35 Mbit/sec in, 20 Mbit/sec out and 6,000 
packets/sec. Do you know what sort of machine we would need to handle 
this amount of traffic? Is it safe to assume that if the machine has a 
disk subsystem that can handle the write speed equivalent to the amount 
of traffic it sees (i.e. 150 Mbit/sec or 18.75 MByte/sec) that it will 
be able to handle the load? What sort of CPU and memory requirements 
does it have?



Peter Van Epp wrote:
> On Fri, Jul 28, 2006 at 08:37:31AM +1000, Tim Eden (te) wrote:
>> To those people that have a default deny policy and spent time 
>> beforehand monitoring traffic and deciding which servers to allow 
>> through initially - what sort of tools/methodology did you use to do this?
>> Cal Frye wrote:
>>> Thanks, all. We've been pretty open, and every suggestion of tightening
>>> things up a bit brings the same complaints suggesting I'm related to
>>> Mordac, the Denier of Information Services ;-)
> 	To answer two questions in one, argus (http://www.qosient.com/argus)
> on our borders records all IP flows in and out. The "Mordac, the Denier of 
> Information Services" became "Really, 17 breakins via the netbios ports in 20 
> days (all found and documented by argus logs), thats costing a lot to clean 
> up. We better block those ports and do something different for the 4 (out of 
> around 15,000) hosts that are using netbios from off campus ...". Highly 
> recommended. Hard numbers sell ... Port 25 outbound is a harder sell because
> we have lots of legit mail clients that do it in small volumes and argus 
> flags ones doing it in large volumes without being an approved mail server for
> whacking. Its still possible the occasional blacklisting will eventually get
> 25 outbound blocked but not yet ...
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.dshield.org/pipermail/unisog/attachments/20060728/c44093f8/attachment.htm 

More information about the unisog mailing list