D/DoS mitigation hardware/software needed.

Jeffrey Lyon jeffrey.lyon at blacklotus.net
Mon Jan 4 22:05:49 CST 2010


1. We have multiple nodes conducting DDoS scrubbing, one failing would not
be catastrophic.

2.  Indeed.

3.  Sort of, such devices are downstream for extremely valid reasons I won't
get into now.

4. Indeed, were equipped to handle substantially higher than 150kpps.

I'm sure Arbor is really neat but I disagree that any DDoS appliance is a
standalone solution. I don't expect an employee of the vendor themselves to
attest to this though.

Best regards, Jeff

Best regards, Jeff

On Jan 4, 2010 10:14 PM, "Suresh Ramasubramanian" <ops.lists at gmail.com>
wrote:

On Tue, Jan 5, 2010 at 8:36 AM, Jeffrey Lyon <jeffrey.lyon at blacklotus.net>
wrote: > We have such a c...
So .. this is interesting.

The firewall would have to frontend your mail / web / whatever
application .. and if something goes beyond the firewall's rated
capacity (100k ++ - maybe nearly 150..175k connections per second for
a high end firewall), the firewall falls over.

And even before that, there's the risk of whatever application you're
protecting getting pounded flat if your firewall passes even a small
percentage of this traffic.

Do you -

1. Have (say) two firewalls in HA config?

2. Back your firewall with routing based measures, S/RTBH, blackhole
communities your upstream offers, etc [the standard nspsec bootcamp
stuff]

3. Simply back the firewall with a netflow based device?

4. Estimate that the risk of a DDoS that exceeds your firewall's rated
capacity is extremely low?  [and yes, 150k ++ connections per second
ddos is going to be massive, and relatively rare for most people]

--srs

--
Suresh Ramasubramanian (ops.lists at gmail.com)



More information about the NANOG mailing list