D/DoS mitigation hardware/software needed.
nanog at shreddedmail.com
Tue Jan 5 15:55:03 UTC 2010
I looked at one of the suggested out-sourced providers. Based on a sample
size of 1, the mitigating mechanisms are DNS redirection and BGP/tunneling.
While both of these solutions may be useful for an end-user (even large
ones), I don't see them fitting in an SP environment.
"If something goes wrong, I want my own, local, big-red button."
On Tue, Jan 5, 2010 at 7:50 AM, Martin Hannigan <martin at theicelandguy.com>wrote:
> On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog at shreddedmail.com> wrote:
>> Looking for D/DoS mitigation solutions. I've seen Arbor Networks
>> several times but they haven't been responsive to literature requests
>> if anybody from Arbor is looking...). Our current upstream is 3x GigE
>> 3 different providers, each landing on their own BGP endpoint feeding a
>> route-reflector core.
>> I see two possible solutions:
>> - Netflow/sFlow/***Flow feeding a BGP RTBH
>> - Inline device
> - Outsource to service provider
> Netflow can lag a bit in detection. I'd be concerned that inline devices
>> add an additional point of failure. I'm worried about both failing-open
>> (e.g. network outage) and false-positives.
> How often are you getting DDoS'd?
> The financials of using a managed service provider vs.
> buy-all-your-own-grrovy-stuff can be fairly compelling especially if the
> amount of DDoS you experience is almost nil.
> Re: Arbor. I don't have any recent experience, but they've been around for
> a long time, have a very experienced team that understands ISP and
> enterprise and the product is mature. Hard to go wrong if you can justify
> the costs. YMMV.
> Martin Hannigan martin at theicelandguy.com
> p: +16178216079
> Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
More information about the NANOG