Verisign Internet Defence Network

Stefan Fouant sfouant at shortestpathfirst.net
Mon May 30 15:01:35 UTC 2011


> -----Original Message-----
> From: Jim Mercer [mailto:jim at reptiles.org]
> Sent: Monday, May 30, 2011 10:26 AM
> To: nanog at nanog.org
> Subject: Verisign Internet Defence Network
> 
> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event
> is
> detected, Verisign will work with the customer to redirect Internet
> traffic
> destined for the protected service to a Verisign Internet Defense
> Network
> site."
> 
> anyone here have any comments on how this works, and how effective it
> will be
> vs. dealing directly with your upstream providers and getting them to
> assist
> in shutting down the attack?

It's really very simple.  Verisign advertises your netblock to the Internet
at whole while at the same time you cease to advertise your route to your
ISPs.  Traffic gets redirected into VIDN scrubbing center where the bad
traffic is removed.  The resulting clean traffic is sent via GRE tunnel back
to customer CPE router.

Regarding how effective it will be vs. getting your upstream to assist
really depends on how many upstream providers you have and what their
capabilities are.  Certainly dealing with one company (Verisign) is going to
be a lot easier than dealing with many upstream providers which are likely
to not have uniform offerings and services.  Most providers that are going
to be willing to assist you are only going to null-route traffic towards the
destination netblock thereby completing the DoS attack.  Those that do have
mitigation offerings are going to charge you for it, and then again, it's
not a uniform offering across all your upstream providers.

I personally think the "cloud-based" approach offered by Verisign makes a
whole heckuva lot more sense than trying to deal with heterogeneous
offerings from many disparate providers, much less having to open tickets
with each provider, having to deal with typical response times, etc.  In my
experience, reducing the number of cogs usually results in dramatically
lower mitigation times, which is certainly the end goal in dealing with
these types of attacks.

Stefan Fouant
JNCIE-M #513, JNCIE-ER #70, JNCI
GPG Key ID: 0xB4C956EC





More information about the NANOG mailing list