D/DoS mitigation hardware/software needed.

Christopher Morrow morrowc.lists at gmail.com
Mon Jan 4 22:41:22 CST 2010


On Mon, Jan 4, 2010 at 11:20 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Jan 5, 2010, at 11:05 AM, Jeffrey Lyon wrote:
>
>> I'm sure Arbor is really neat but I disagree that any DDoS appliance is a standalone solution.
>
> I disagree with this proposition, too.
>
> S/RTBH and/or flow-spec are great DDoS mitigation tools which don't require any further investment beyond the network infrastructure an operator has already purchased and deployed.  These should be the first mitigation tools anyone deploys; in many cases, they're all that's needed.

Is it fair to say that most folks in this thread believe there is not
'one size fits all', and that there are quite a few tools available in
the security/networking toolbox? Some of these are outlined in past
nanog tutorials:
<http://www.nanog.org/meetings/nanog23/presentations/greene.pdf>
<http://www.nanog.org/meetings/nanog26/presentations/ispsecure.pdf>
<http://www.nanog.org/meetings/nanog28/presentations/sink.pdf>
<http://www.nanog.org/meetings/nanog36/presentations/greene.ppt>

Sorry to pick on barry here, but he's got a few preso's up from past
NANOG's that cover this topic pretty well. All of them talk about a
set of tools a network operator should be familiar with, with
escalating costs (dollars and packet-loss/collateral damage), and some
cut/pasteable configlets even.

>> I don't expect an employee of the vendor themselves to attest to this though.
>
> Wrong again.

eh, roland's always happy to bash on employers :) but, he's got some
solid standing on this set of points. Again, if you know what you're
doing then feel free to go off and do it, but at first blush there are
LOTS of people putting 'servers' out on the 'public network' behind
devices whoafully prepared to deal with 'real world traffic demands',
so instead of making the same mistake, perhaps learning from some
experience would be in order?

The original poster seemed to be asking about appliance based
solutions, so your pointed remarks about Roland aside he was actually
answering the question. I wonder if Stefan Fouant would offer some of
his experience with 'not arbor' vendor solutions to be used when other
techniques come up short?

(note I think Roland may have been party to some of the presenations I
linked in this... I certainly was for one of them at least, in case
that matters.)

-Chris

> ;>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
>
>




More information about the NANOG mailing list