D/DoS mitigation hardware/software needed.

Rick Ernst nanog at shreddedmail.com
Tue Jan 5 09:55:03 CST 2010


I looked at one of the suggested out-sourced providers.  Based on a sample
size of 1, the mitigating mechanisms are DNS redirection and BGP/tunneling.

While both of these solutions may be useful for an end-user (even large
ones), I don't see them fitting in an SP environment.
"If something goes wrong, I want my own, local, big-red button."

Rick


On Tue, Jan 5, 2010 at 7:50 AM, Martin Hannigan <martin at theicelandguy.com>wrote:

>
>
> On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog at shreddedmail.com> wrote:
>
>> Looking for D/DoS mitigation solutions.  I've seen Arbor Networks
>> mentioned
>> several times but they haven't been responsive to literature requests
>> (hint,
>> if anybody from Arbor is looking...).  Our current upstream is 3x GigE
>> from
>> 3 different providers, each landing on their own BGP endpoint feeding a
>> route-reflector core.
>>
>> I see two possible solutions:
>> - Netflow/sFlow/***Flow  feeding a BGP RTBH
>> - Inline device
>>
>>
>
>      - Outsource to service provider
>
>
> Netflow can lag a bit in detection.  I'd be concerned that inline devices
>> add an additional point of failure.  I'm worried about both failing-open
>> (e.g. network outage) and false-positives.
>>
>
> How often are you getting DDoS'd?
>
> The financials of using a managed service provider vs.
> buy-all-your-own-grrovy-stuff can be fairly compelling especially if the
> amount of DDoS you experience is almost nil.
>
> Re: Arbor. I don't have any recent experience, but they've been around for
> a long time, have a very experienced team that understands ISP and
> enterprise and the product is mature. Hard to go wrong if you can justify
> the costs. YMMV.
>
> Best,
>
> -M<
>
>
> --
> Martin Hannigan                               martin at theicelandguy.com
> p: +16178216079
> Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
>
>



More information about the NANOG mailing list