D/DoS mitigation hardware/software needed.

Stefan Fouant sfouant at shortestpathfirst.net
Tue Jan 5 05:34:34 UTC 2010

> -----Original Message-----
> From: Rick Ernst [mailto:nanog at shreddedmail.com]
> Sent: Tuesday, January 05, 2010 12:19 AM
> I'd argue just the opposite.  If your monitoring/mitigation system
> changes
> dependent on the situation (normal vs under attack), you are adding
> complexity to the system.  "What mode is the system in right now? Is
> this
> customer having connectivity issues because of a state change in the
> network? etc."

Almost all of the scalable DDoS mitigation architectures deployed in
carriers or other large enterprises employ the use of an offramp method.
These devices perform a lot better when you can forward just the subset of
the traffic through as opposed to all.  It just a simple matter of using
static routing / RTBH techniques / etc. to automate the offramp.

Stefan Fouant, CISSP, JNCIE-M/T
GPG Key ID: 0xB5E3803D

More information about the NANOG mailing list