Provider-based DDoS Protection Services

Fri Jul 29 03:52:30 UTC 2005

On 7/28/05, John Neiberger <jneiberger at gmail.com> wrote:
> 
> Ferg,
> 
> That's an understandable attitude given the nature of your networks.
> In our case, I'm just talking about two or three T1s that provide
> Internet connectivity to our website for our customers.
> 
> I appreciate your input, though. I will accept all advice and input if
> it gets me closer to a better understanding of the realities of topic
> at hand and if it helps weed out some of the marketing fluff that's
> being heaped upon me by salespeople. :)
> 
> Thanks!
> John
> 
> On 7/28/05, Fergie (Paul Ferguson) <fergdawg at netzero.net> wrote:
> > John,
> >
> > Contrary to popular belief, I (not alone, of course) run,
> > manage, defend, and continually architect very large
> > networks. Very large.  On none of them do we outsource
> > the protection of them -- because, in cases where we
> > have extended trust in the past, we have been screwed
> > (PC translation: disappointed).
> >
> > So we protect ourselves.
> >
> > It's been a business decision for my customers' networks
> > (ie. their network) not to outsource security, or rely on
> > an upstreampipedream, for protection of any sort.
> >
> > Thus, I personally can't provide any insight here. Sorry.
> >
> > - ferg
> >
> > -- John Neiberger <jneiberger at gmail.com> wrote:
> >
> > In this case it's a business decision. I understand that we could
> > simply weigh the costs of an attack with the costs of preemptively
> > detecting and mitigating an attack, but in our case we won't lose hard
> > dollars like an ecommerce site would. We have different reasons for
> > wanting to have some protection in place before we need it. I look at
> > it like it's an insurance policy, but I don't want to be ripped off.
> >
> > It's like I'm getting estimates on building a protective dike around
> > my house. One contractor tells me that the floodwaters commonly reach
> > six feet so I should pay him $12,000 to build a wall at least that
> > high. Another contractor is telling me that he'll build a six-foot
> > wall for $6,000. Another contractor is telling me that the floodwaters
> > most likely won't go over two feet and he suggests that I pay him
> > $1,000 for a three-foot-high wall.
> >
> > If it turns out that we really do need a six-foot-high wall then so be
> > it. I'm not the one who pays the bills so it isn't really my decision.
> > I just want to make sure I have a clearer picture of reality before I
> > make any suggestions to my boss.
> >
> > Thanks again,
> > John
> >
> > On 7/28/05, Fergie (Paul Ferguson) <fergdawg at netzero.net> wrote:
> >
> > > I should've asked the most important question first -- is this
> > > a technical decision, or a business decision? I mean, forgive me
> > > for pointing out the obvious, but you made an issue of cost in your
> > > original post...
> > >
> > > - ferg
> > >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  Engineering Architecture for the Internet
> >  fergdawg at netzero.net or fergdawg at sbcglobal.net
> >  ferg's tech blog: http://fergdawg.blogspot.com/
> >
> >
> 

Thinking about this a bit, I subscribe to the theory that it somewhat
depends on how big of a target you are.  People who have large
networks usually offer more services to more people, thus they have
more exposure.  "Most of the time" when I see the large DoS attacks
they are to customers with nice fat pipes.  I've rarely seen large
(2-3Gb) attacks to small customers with a few T1's.  Not to say it
doesn't ever happen.  But if you're not hosting a ton of sites there's
not that much reason for someone to DoS you.  Botnets are a commodity
and when they are used, inevitably, a portion of the bots are found
and fixed.  There's usually 2 reasons why people are DoS'd.  You, or a
customer, has pissed someone else off or it's being done to you for
extortion reasons.  If you're hosting a small site for your business
as mostly an informational purpose then you're likely not going to be
really pissing someone off.  If you have a large ecommerce site then
you are a target for extortion purposes.  Following this chain of
logic, if you have a large site, you have large pipes.  I guess what
I'm getting at is this may be one area where security through
obscurity may actually pan out, speaking **only** to security of
bandwidth/packet rate DoS attacks.

As always, there are exceptions and anything can happen.  I'm just
speaking from my personal experience.  I've worked in a largeish ISP
NOC for about 3 years and this is mostly what I've seen.

Some things you can do that are free include making sure that if/when
you get attacked you have a plan in place of how to deal with it. 
This includes having up to date contact information for your service
provider.  Knowing what their capabilities are and how they deal with
attacks.  Having circuit information, hardware information, and
hardware vendor contact information available to help all involved
parties aid in mitigating the attack.  This can save huge amounts of
time when "bad things happen" and this applies no matter how large or
small you are.

--chip

-- 
Just my $.02, your mileage may vary,  batteries not included, etc....