Solutions for DoS & DDoS
Christopher Morrow
morrowc.lists at gmail.com
Mon Dec 10 14:47:58 UTC 2012
On Mon, Dec 10, 2012 at 9:33 AM, Ameen Pishdadi <apishdadi at gmail.com> wrote:
> Sounds like an advertisement to me
In the end there are few actual options (in general):
1) do it yourself
2) have your carrier do it for you
3) have a third party do it for you
There are cost and capability considerations with all of these, basically:
1:
- you'll need more pipe - absorb all that can arrive, can you
handle an extra 100gbps of traffic? (or less, you could reasonably
build out for X gbps and just die under Y if the cost is unacceptably
large to absorb Y)
- more people-smarts - understand what is/isn't an attack,
understand peering, transit, costs, complexities, mitigation
techniques and costs involved.
- more equipment - mitigation gear (cisco guard, arbor tms, radware...etc)
2:
- monthly (most times) cost for 'insurance', imagine paying an
uplift on your current bandwidth costs, for mitigation services,
pre-prepared, so all you need to is 'initiate mitigation' inside the
carrier's network.
- people-cost in training to 'make the mitigation happen' (done
right at the carrier this is nothing more than a bgp update from
you...)
3:
- monthly (or one-time) cost, you may be able to initiate it
one-time and walk away, with the attendant costs in management of
adhoc contracts/etc.
- routing changes (do you control at least the /24 around the
resource you need to mitigate?)
- tunneling complexity to return to you the 'clean' traffic
- dns shennigans for those ddos-mitigation folks who don't do
routing change, or prefer DNS ones.
pick what works for you... or your charity org.
-chris
More information about the NANOG
mailing list