Pros and Cons of Cloud Computing in dealing with DDoS
Roland Dobbins
rdobbins at arbor.net
Fri Nov 6 03:29:15 UTC 2009
On Nov 6, 2009, at 7:46 AM, Stefan Fouant wrote:
> So if I'm hearing you correctly, you're saying that no matter how
> much infrastructure you have to potentially absorb the problem,
> there is nothing you can do because the bad guys are always going to
> have more bandwidth at
> their disposal.
What I'm saying is that one can't simply rely on bandwidth capacity/
connection capacity/tps scaling/etc. on their own to always 'eat' the
problem traffic; rather that there's a full spectrum of things one
must do in order to be able to maintain availability in the face of
attack, starting with fundamental architecture at layer-7 and moving
down the model, taking special care to try and avoid design choices
which lead to blocking behaviors and/or open up amplification vectors
(some of these simply can't be avoided due to protocol semantics, of
course).
I'm also saying that threats to availability aren't something one can
always assume one will be able to handle alone; engaging with the
larger opsec community is key.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sorry, sometimes I mistake your existential crises for technical
insights.
-- xkcd #625
More information about the NANOG
mailing list