D/DoS mitigation hardware/software needed.
sfouant at shortestpathfirst.net
Tue Jan 5 05:34:34 UTC 2010
> -----Original Message-----
> From: Rick Ernst [mailto:nanog at shreddedmail.com]
> Sent: Tuesday, January 05, 2010 12:19 AM
> I'd argue just the opposite. If your monitoring/mitigation system
> dependent on the situation (normal vs under attack), you are adding
> complexity to the system. "What mode is the system in right now? Is
> customer having connectivity issues because of a state change in the
> network? etc."
Almost all of the scalable DDoS mitigation architectures deployed in
carriers or other large enterprises employ the use of an offramp method.
These devices perform a lot better when you can forward just the subset of
the traffic through as opposed to all. It just a simple matter of using
static routing / RTBH techniques / etc. to automate the offramp.
Stefan Fouant, CISSP, JNCIE-M/T
GPG Key ID: 0xB5E3803D
More information about the NANOG