Experience on Wanguard for 'anti' DDOS solutions

Richard Hesse richard.hesse at weebly.com
Fri Aug 28 18:23:01 UTC 2015


We've tried their products off an on for the past 3-4 years. Here are
my impressions:

* UI stuck in 1999. Can't click zoom, drill down, etc.
* Inflexible UI. Want a bandwidth graph with only egress or ingress? Too bad.
* Inexpensive. I don't like that it's licensed yearly, but it's not
too much money.
* Inaccurate flow processing. Do you have iBGP peering sessions
between border routers? WANGuard will struggle mightily to correctly
classify the traffic as internal or external.
* Yes, it runs out of memory quickly during a spoofed SYN flood with
many sources. This is due to setting the Top generator to Full. If you
just want to mitigate and not have any insight into network data, set
this to Extended and you'll be fine. But if you want to use
WANGuard/WANSight as a network intelligence tool as well, you need to
set the generator to Full and it will fall over.
* Doesn't process IPFIX flow data properly. There's an old thread on
the j-nsp list about this. Basically their support claims Juniper is
broken (which I don't doubt) but then refuses to work around the
issue. None of our other flow processing tools have these problems.
* Support is responsive at times and is always cranky. I brought them
two bonafide bugs in their product that they refused to admit. It got
to the point where I asked for my money back and I think someone in
sales lit up their support team. I get the feeling that the support
team is staffed with employees who really don't like their job or
working with customers. A bad combination.
* The TAP generators with Myricom cards work well. The docs say you
can use SolarFlare for TAPs but they don't work at all. Again, they
blame SolarFlare and say that the cards are too complicated....but
fail to update their documentation saying this.
* Doesn't support any kind of layer 7 detection or filtering. It's all
very rudimentary layer 3-4 stuff. Considering how easy it is to block
layer 3/4 attacks on your own, their filtering clusters don't offer
much value.
* No real scale out solution on the detection side. It's basically
scale up your server or use clunky tech like NFS to share out
directories across managers.
* Works well enough to get you a rough idea of what's going on. It's
also decently cheap.

We use it as one part of our attack detection toolset. We don't use it
for on-site attack mitigation. I'd recommend it if you don't want to
use flow data and only want to use it for intelligence on TAP ports.

-richard

On Mon, Aug 10, 2015 at 6:58 AM, Marcel Duregards
<marcel.duregards at yahoo.fr> wrote:
> Dear Nogers,
> We are currently evaluating some DDOS detection/mitigation solutions.
> Do you have any inputs/experiences on Wanguard from Andrisoft, please ?https://www.andrisoft.com/software/wanguard
> Currently we are just interested on the packets/flows sensors with the console for detection and RTBH trigger. Maybe the packet filtering (for scrubbing) will come later.
> Best Regards,-Marcel Duregards
>
>
>



More information about the NANOG mailing list