WANTED: ISPs with DDoS defense solutions

Jared Mauch jared at puck.Nether.net
Wed Jul 30 14:58:17 UTC 2003


On Tue, Jul 29, 2003 at 04:33:28PM -0700, Lane Patterson wrote:
[ obnoxious text wordwrapped :) ]
> 
> We have some DDoS-sensitive customers asking us to refer them to the 
> best ISPs for "in-the-core" DDoS defense.  Other than UUnet (hi Chris!) 
> and MFN, I'm not aware of any ISPs in North America developing a 
> reputation for consistent DDoS defense.  Could folks contact me either 
> off-list or on-list?
> 
> It seems that large content providers and Tier2/3 bandwidth buyers 
> would do well to collaborate on group RFP's for this type of thing 
> to send the message to ISPs it is something to invest in (dare I 
> say productize?).  While UUnet's detection/blocking is great, it 
> would be wonderful to see some more intelligent filtering of DDoS 
> traffic ala RiverHead or similar approach that doesn't completely 
> blackhole victim IPs.

	Well, there are a few things/issues here.

	One is the "security" of such filtering.  As many times as
it's come up here saying "Filter your customers, it's important", how
many people out there have a strict policy for filtering them?
Would you want these same customers and providers that can not
get the filtering right in the first place to have the ability to
accidentally (or intentionally) leak a blackhole route to
your larger network?  Yes, there is the ability to log bgp
updates to have accountability amongst other things, but the
more serious issue is that people are not doing effective filtering
[of announcements] in the first place.

	As far as I can tell these days, the US depends on
the Internet to be a utility.  Always-on, and there is (for the most
part) sufficent interconnection that the choice between the top few
providers isn't as much a technical decision, but more of a financial
one.  (There is no need to connect to MCI, Sprint and UUNet each to
avoid the peering congestion points as in the past).

	Equinix itself is demonstrating this with your "change providers
monthly" service that you offer.

	I think it will be some time before there will be
adoption of this across most of the networks.  We want people to contact
our security team instead of "blackhole and forget" type solutions.

	If someone abuses the PSTN, or other networks they eventually
will get their service terminated.  If people abuse their access by
launching DoS attacks, we need to catch them and get their access
terminated.  It's a bit harder to trace than PSTN (or other netowrks)
but I feel of value to do so.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the NANOG mailing list