Another part to your defense-in-depth strategy is to use all your layered defensive tools to your greatest advantage. One of the ways you can do that is to use your tcpdump logs if they are available to augment the session-based logging and application logging. One of the ways you can leverage the tcpdump logging is to use it to help detect bandwidth problems such as a DoS or to help detect large network utilization from other means such as a backup to a hot-site or a download of several CDs worth of an operating system. When first deploying your tcpdump logging application, you should find out what other information you could get out of that data. One solution was to use a tool called tcpdstat (http://staff.washington.edu/dittrich/_talks/core02/tools/tools.html) written by Dave Dittrich of the University of Washington. This tool produces a text output from reading and parsing a tcpdump file such as the one shown here:

Id: 200406010000AvgRate: 238.22Kbps  stddev:499.02K   PeakRate: 12.52Mbps

Several more lines in the output can be culled later for other reports, but for the DoS detection, the value you need to be concerned with is PeakRate. This value is the highest throughput during that hour; when compared with the rest of the day, or even the previous hour, you can come up with a rough idea if you are under attack. For example, you can have a simple script called via cron to check the hour-to-hour...