D/DoS mitigation hardware/software needed.

Stefan Fouant sfouant at shortestpathfirst.net
Tue Jan 5 05:27:45 UTC 2010

> -----Original Message-----
> From: Christopher Morrow [mailto:morrowc.lists at gmail.com]
> Sent: Monday, January 04, 2010 11:41 PM
> The original poster seemed to be asking about appliance based
> solutions, so your pointed remarks about Roland aside he was actually
> answering the question. I wonder if Stefan Fouant would offer some of
> his experience with 'not arbor' vendor solutions to be used when other
> techniques come up short?

Interesting thread!  And I'm happy to chime in - thanks Chris!  I too would
have to strongly agree with Roland's comments about not front-ending your
mitigation solution with firewalls or load-balancers - these are precisely
the types of things which topple over first under a big attack, as such
having your mitigation devices behind them makes little sense.  If you must
use firewalls and/or LBs, put them behind the mitigation device, where the
traffic has already been scrubbed and your state tables won't be exhausted.
Having said that, if you've got a router capable of doing generic packet
filters upstream of your mitigation device, this is certainly a good place
to apply stateless filters which can pitch any traffic you are sure you will
never need to receive.  Flowspec and/or automated blackhole routing works
very well for this application when you want to get rid of certain types of
cruft, before it hits your mitigation device.

Now, on to the OPs original question regarding appliance based solutions, I
would say I am actually a firm believer in having multiple vendors in place
if you can afford it.  Arbor definitely has a corner on the market here,
with the most comprehensive solution which entails everything from detection
to mitigation and pretty much everything in between.  Arbor can also
automate the FlowSpec process and/or generate router ACLs for propagation to
upstream routers... They do a lot of other stuff as well such as
identification of BGP hijacking, DNS analysis, can automate a lot of the
RTBH or S/RTBH stuff.  Where Arbor generally suffers is with sophisticated
attack traffic which requires complex mitigations - these often require a
lot of tweaking in order to properly scrub the traffic... knowing your
environment and which attack vectors are likely to be exploited is your best
bet here, where you can configure mitigation templates in advance for rapid
deployment during an attack.

I've also worked with the RioRey devices and I have to say that although
they don't have all the bells and whistles that some of the other vendors
offer, their approach to mitigation is entirely unique and can genuinely
mitigate attacks in record-time.  Without disclosing too much of their
intellectual property, I will say that their algorithms essentially look at
the randomness and probability of address space distribution within the
attack traffic, and can generally offer a high degree of certainty of
scrubbing the majority of the bad traffic - and they do this WITHOUT having
to do DPI as many other vendors are currently doing.

Bottom line - if you're looking for something with a lot of bells and
whistles and the ability to monitor/detect/analyze/etc., you're probably
better off going with an Arbor solution.  If you have lower OpEx and just
want something that you can "set it and forget it", you'd be hard pressed
not to look at the RioRey.

Stefan Fouant, CISSP, JNCIE-M/T
GPG Key ID: 0xB5E3803D

More information about the NANOG mailing list