Outsourcing DDOS

Andreas Echavez andreas at livejournalinc.com
Mon Oct 24 22:46:55 UTC 2011

Having used some of the largest solutions, I do disagree.

After quickly searching google for Verisign, I could find a few documents
that claim they have ~350Gb of capacity. On Prolexic's website, they claim
to have the largest <http://www.prolexic.com/why-prolexic/index.html> total
mitigation capacity at 375Gb.

Now if you're talking about upstream providers (ATT/Verizon), even if your
upstream mitigates the traffic, do you really N+1 redundancy during an
attack? Do the providers have an SLA guaranteeing mitigation within a
certain timeframe? Finally, and most importantly to us, was how much do they
charge per attack, or if it a flat "insurance" type agreement where they
block unlimited attacks.

Total capacity certainly isn't the most important factor, but a sane pricing
policy certainly was.


On Mon, Oct 24, 2011 at 12:29 PM, Stefan Fouant <
sfouant at shortestpathfirst.net> wrote:

> On 10/24/2011 1:54 PM, Andreas Echavez wrote:
>  obviously they will get blocked. My personal experience is that when
>> you're
>> dealing with a DoS at the scale that you need Prolexic, there is simply no
>> one else that can handle that level of traffic.
> Andreas,
> I think there are a lot of people on this list that would argue with that
> statement.  As was mentioned earlier, AT&T, Verizon, and several others
> including Verisign have very ample networks capable of handling attacks just
> as large as Prolexic, if not bigger.
> One thing to note about Prolexic, where it stands out from some of the
> others is that it is a completely off-net solution.  Many of the other
> offerings from folks like Verizon require you to have WAN circuits connected
> to their network in order to avail of such a service (in other words, they
> will only scrub that which would normally traverse their network on it's way
> towards your WAN interface).
> Others like Verisign have (smartly) adopted a similar model to that of
> Prolexic.  They understand that requiring a physical connection into a
> provider's cloud is a monolithic approach (and certainly runs counter to
> today's mantra of offering up cloud-based services).
> Stefan Fouant
> Technical Trainer, Juniper Networks
> Follow us on Twitter @JuniperEducate

More information about the NANOG mailing list