DDoS mitigation for ISPs
Mike
mike-nanog at tiedyenetworks.com
Thu Oct 29 18:36:56 UTC 2015
On 10/29/2015 08:54 AM, Hugo Slabbert wrote:
>
> On Thu 2015-Oct-29 08:42:31 -0700, Mike
> <mike-nanog at tiedyenetworks.com> wrote:
>
>> Hello,
>>
>> Is there any DDoS mitigation service provider that can scrub
>> traffic for an ISP network? I have an ASN and BGP and my own
>> netblocks, and I have a 1gbps pipe. I was thinking the scenario would
>> be during attack, we could bring up a tunnel and run bgp over it and
>> advertise some portion of our ip space thru it. I realise getting it
>> setup while attack is taking place would be a little hard and that we
>> likely could expect at least some down time. What we have seen so far
>> has been reflection attacks (dns and ssdp) and we have been able to
>> do rate limiting on these and other protocols to sane values. This
>> has worked well, although the primary risk is once the traffic flow
>> exceeds the link capacity such limiting won't have any net effect.
>> But if we could farm this out during times of trouble to a mitigation
>> services provider, they could advertise our block(s) and rate limit
>> and scrub for us and send us the result, it would be a far better
>> than what we have now (which is effectively nothing). I asked
>> cloudflare this and they stated they are focused on web traffic. My
>> upstream can't help me, doesn't support RTBH and won't install
>> filters anyways unless it's impacting THEIR network. Just wondering
>> if anyone has any other ideas (short of ditching my provider, which I
>> also can't do due at this time due to lack of competitive choice).
>>
>> Mike-
>>
>
> In no particular order:
>
> - Prolexic (Akamai)
> - Arbor Networks
> - Staminus
> - Black Lotus
> - Incapsula
> - Radware
>
> This is not an endorsement for any of the above.
> Alternatively: http://lmgtfy.com/?q=ddos+protection
>
Actually I did the google thing first and followed up with several of
the top results, and not once did I see anyone offering a bgp tunnel +
scrub which is why I asked. I did get some good off list responses
however, thanks all.
Mike-
More information about the NANOG
mailing list