Securing Border Routers

Ryan Shea ryanshea at google.com
Thu Jan 20 01:11:08 UTC 2011


A stateful firewall outside of your router may create a new bottleneck which
increases your risk of DoS. Making sure that you know (and document, and
test) how to effectively contact your service providers should you be
attacked would be a good idea. Find out if your service providers have BGP
communities for remote triggered black hole (document and test). A denial of
service will break the weakest link in the chain toward your services, so
make sure you have appropriate bandwidth, a reasonable server architecture,
and if you have money to burn consider a DDoS mitigation service.

-Ryan

On Wed, Jan 19, 2011 at 7:35 PM, Brandon Kim <brandon.kim at brandontek.com>wrote:

>
> Gents:
>
> What measures do you take to protect your border routers? Our routers are
> running BGP so I'm interested
> if there is any way to secure them without interfering with BGP? Is it
> normal to put a firewall in front of the
> border routers?
>
> I'm concerned about DDOS attacks mainly....although we haven't had any, I
> don't welcome them.....
>
> Brandon
>
>
>
>
>



More information about the NANOG mailing list