Ddos mitigation service

Pierre Lamy pierre at userid.org
Fri Feb 1 14:57:44 UTC 2013


The 3 major scrubbing vendors:

Prolexic
Verisign
Akamai

Prolexic has the ability to announce a /24 for you, and scrub the whole 
thing, then pipe it back to you via a GRE tunnel or dedicated circuit. 
All of the companies mentioned do this for a living, and are pretty good 
at what they do. There are other vendors as well that do FQDN scrubbing 
for you (which is the normal way to do it). You swing the DNS A record 
to point to their provisioned VIP, and they proxy back the traffic to 
you. This doesn't do anything to prevent attacks against IP addresses 
rather than resolved FQDNs.

It's important to note that all mitigation techniques can have a 
negative impact and should be tested first. The scrubbing centers are 
only one solution and you should equip yourself with multiple layers of 
defense, separated by where they live:

Beyond the carrier perimeter
- Scrubbing farms in IP-routed mode
- Scrubbing farms in DNS-routed mode
- CDNs to deliver high value target pages, like main corporate pages and 
login windows
- Globally Anycast DNS auth slaves through a CDN

Beyond your perimeter (carriers)
- Geoblocks
- Zombie detection and rate limits
- Flowspec routes via monitoring tools like Arbor's
- Various other carrier-specific security offerings
- Provision a secondary circuit to carry non-public IP space, for 
corporate web/out, phones, VPN etc. If the main pipe comes under attack, 
you can still carry out some critical business and B2B functions

Within the perimeter
- Load balancers
- Firewalls
- IPS
- WAF
- Reverse proxies
- Blackhole routes
- Flowspec routes (ie Arbor)
- A span tap on the internet feed(s) connected to a tcpdump box (silly 
and cheap, but highly useful to generate sigs and collect intel)

Not all DDoS are created equal, and there can always be some leakage by 
protections further out; the protections closer in allow for a faster 
and more granular response, but you're really limited to the circuit 
sizes, session limits etc. I would highly recommend that you also join 
industry specific cyberintelligence organizations, like any of the 
-ISACs, and/or a cyberintel provider if you don't have access to an 
-ISAC. The 3 major areas of infosec business focus in 2013 that I see 
will be insourcing malware analysis + automation of IOC generation, 
cyberintelligence, and DDoS mitigations. Businesses have realized that 
relying solely in external vendors to provide these services in a 
generic way results in good service but slower turnaround times; the 
insourced components become both a first tier of defense, and also a 
specialized set of incident responders that understand the business.

Pierre

On 31/01/2013 1:13 PM, matt kelly wrote:
> Can anyone recommended ddos mitigation companies with US east coast
> presence that provide the services via bgp?  We are not interested in an
> appliance but rather offloading the traffic.
>
> Thanks.





More information about the NANOG mailing list