Pros and Cons of Cloud Computing in dealing with DDoS

Roland Dobbins rdobbins at arbor.net
Thu Nov 5 21:29:15 CST 2009


On Nov 6, 2009, at 7:46 AM, Stefan Fouant wrote:

> So if I'm hearing you correctly, you're saying that no matter how  
> much infrastructure you have to potentially absorb the problem,  
> there is nothing you can do because the bad guys are always going to  
> have more bandwidth at
> their disposal.

What I'm saying is that one can't simply rely on bandwidth capacity/ 
connection capacity/tps scaling/etc. on their own to always 'eat' the  
problem traffic; rather that there's a full spectrum of things one  
must do in order to be able to maintain availability in the face of  
attack, starting with fundamental architecture at layer-7 and moving  
down the model, taking special care to try and avoid design choices  
which lead to blocking behaviors and/or open up amplification vectors  
(some of these simply can't be avoided due to protocol semantics, of  
course).

I'm also saying that threats to availability aren't something one can  
always assume one will be able to handle alone; engaging with the  
larger opsec community is key.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

Sorry, sometimes I mistake your existential crises for technical
insights.

			-- xkcd #625





More information about the NANOG mailing list