Verisign Internet Defence Network

Hank Nussbacher hank at efes.iucc.ac.il
Wed Jun 1 05:26:21 UTC 2011


At 10:25 30/05/2011 -0400, Jim Mercer wrote:

My knowledge is from 1.5 years ago when I compared Verisign, Prolexic, 
Akamai and others so things may have changed since then.

VeriSign claim that they are servicing their own network globally which has 
performed with zero down time over the last decade.  Verisign have 2 
offerings - one over BGP and the other over GRE/SSL VPNs. The BGP solution 
would be faster to turn on but will require more configuration set-up. 
Interestingly, their mitigation service is not 'always-on' (they sell their 
monitoring and mitigation services seperately). On detection of an attack, 
they contact the customer and only once the customer acknowledges that they 
want their services "redirected" do they turn on the filtering.

My biggest gripe was their SLA - or lack of one. Back in Dec 2009 I forced 
them to start writing an SLA which they had not thought of, which back then 
showed an immaturity of service.  Things might be different now.  Verisign 
then took the view that the SLA should be based on *their* mitigation 
platform availability ("our scrubbing center has 100% SLA") and not on the 
customer site availability (all great and wonderful that your scrubbing 
center is up and running - but my site is down).  They were willing to give 
service credits if their scrubbing center was down but not if the customer 
site was down.

I found they had a well established customer portal and ample reporting 
facilities.

Just make sure they have improved on their SLA before buying.

Regards,
Hank


>Heyo,
>
>So, I asked to look into the viability and usefullness of the "Verisign
>Internet Defence Network" service.
>
>I don't claim to be any kind of expert in DDoS mitigation, but some of the
>claims made by the product descriptions seem suspect to me.
>
>it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is
>detected, Verisign will work with the customer to redirect Internet traffic
>destined for the protected service to a Verisign Internet Defense Network
>site."
>
>anyone here have any comments on how this works, and how effective it will be
>vs. dealing directly with your upstream providers and getting them to assist
>in shutting down the attack?
>
>--
>Jim Mercer        jim at reptiles.org        +1 416 410-5633
>You are more likely to be arrested as a terrorist than you are to be
>blown up by one. -- Dianora





More information about the NANOG mailing list