Ddos mitigation service
Pierre Lamy
pierre at userid.org
Fri Feb 1 14:57:44 UTC 2013
The 3 major scrubbing vendors:
Prolexic
Verisign
Akamai
Prolexic has the ability to announce a /24 for you, and scrub the whole
thing, then pipe it back to you via a GRE tunnel or dedicated circuit.
All of the companies mentioned do this for a living, and are pretty good
at what they do. There are other vendors as well that do FQDN scrubbing
for you (which is the normal way to do it). You swing the DNS A record
to point to their provisioned VIP, and they proxy back the traffic to
you. This doesn't do anything to prevent attacks against IP addresses
rather than resolved FQDNs.
It's important to note that all mitigation techniques can have a
negative impact and should be tested first. The scrubbing centers are
only one solution and you should equip yourself with multiple layers of
defense, separated by where they live:
Beyond the carrier perimeter
- Scrubbing farms in IP-routed mode
- Scrubbing farms in DNS-routed mode
- CDNs to deliver high value target pages, like main corporate pages and
login windows
- Globally Anycast DNS auth slaves through a CDN
Beyond your perimeter (carriers)
- Geoblocks
- Zombie detection and rate limits
- Flowspec routes via monitoring tools like Arbor's
- Various other carrier-specific security offerings
- Provision a secondary circuit to carry non-public IP space, for
corporate web/out, phones, VPN etc. If the main pipe comes under attack,
you can still carry out some critical business and B2B functions
Within the perimeter
- Load balancers
- Firewalls
- IPS
- WAF
- Reverse proxies
- Blackhole routes
- Flowspec routes (ie Arbor)
- A span tap on the internet feed(s) connected to a tcpdump box (silly
and cheap, but highly useful to generate sigs and collect intel)
Not all DDoS are created equal, and there can always be some leakage by
protections further out; the protections closer in allow for a faster
and more granular response, but you're really limited to the circuit
sizes, session limits etc. I would highly recommend that you also join
industry specific cyberintelligence organizations, like any of the
-ISACs, and/or a cyberintel provider if you don't have access to an
-ISAC. The 3 major areas of infosec business focus in 2013 that I see
will be insourcing malware analysis + automation of IOC generation,
cyberintelligence, and DDoS mitigations. Businesses have realized that
relying solely in external vendors to provide these services in a
generic way results in good service but slower turnaround times; the
insourced components become both a first tier of defense, and also a
specialized set of incident responders that understand the business.
Pierre
On 31/01/2013 1:13 PM, matt kelly wrote:
> Can anyone recommended ddos mitigation companies with US east coast
> presence that provide the services via bgp? We are not interested in an
> appliance but rather offloading the traffic.
>
> Thanks.
More information about the NANOG
mailing list