D/DoS mitigation hardware/software needed.

Raj Singh raj.singh at demandmedia.com
Mon Jan 4 15:45:36 CST 2010


Rick,

If you pass me your contact info I can forward it to our Arbor Sales guy who can get in touch with you. I been pretty impressed by Arbor so far.


Thanks,
Raj Singh   


-----Original Message-----
From: Rick Ernst [mailto:nanog at shreddedmail.com] 
Sent: Monday, January 04, 2010 1:20 PM
To: NANOG
Subject: D/DoS mitigation hardware/software needed.

Looking for D/DoS mitigation solutions.  I've seen Arbor Networks mentioned
several times but they haven't been responsive to literature requests (hint,
if anybody from Arbor is looking...).  Our current upstream is 3x GigE from
3 different providers, each landing on their own BGP endpoint feeding a
route-reflector core.

I see two possible solutions:
- Netflow/sFlow/***Flow  feeding a BGP RTBH
- Inline device

Netflow can lag a bit in detection.  I'd be concerned that inline devices
add an additional point of failure.  I'm worried about both failing-open
(e.g. network outage) and false-positives.

My current system is a home-grown NetFlow parser that spits out syslog to
our NOC to investigate potential attacks and manually enter them into our
RTBH.


Any suggestions other than Arbor?  Any other mechanisms being used?  My idea
is to quash the immediate problem and work additional mitigation with
upstreams if needed.

I could probably add some automation to my NetFlow/RTBH setup, but I still
need to worry about false-positives. I'd rather somebody else do the hard
work of finding the various edge-cases.

Thanks,
Rick




More information about the NANOG mailing list