Solutions for DoS & DDoS

Christopher Morrow morrowc.lists at gmail.com
Mon Dec 10 14:47:58 UTC 2012


On Mon, Dec 10, 2012 at 9:33 AM, Ameen Pishdadi <apishdadi at gmail.com> wrote:
> Sounds like an advertisement to me

In the end there are few actual options (in general):
  1) do it yourself
  2) have your carrier do it for you
  3) have a third party do it for you

There are cost and capability considerations with all of these, basically:
  1:
    - you'll need more pipe - absorb all that can arrive, can you
handle an extra 100gbps of traffic? (or less, you could reasonably
build out for X gbps and just die under Y if the cost is unacceptably
large to absorb Y)
    - more people-smarts - understand what is/isn't an attack,
understand peering, transit, costs, complexities, mitigation
techniques and costs involved.
    - more equipment - mitigation gear (cisco guard, arbor tms, radware...etc)

  2:
  - monthly (most times) cost for 'insurance', imagine paying an
uplift on your current bandwidth costs, for mitigation services,
pre-prepared, so all you need to is 'initiate   mitigation' inside the
carrier's network.
  - people-cost in training to 'make the mitigation happen' (done
right at the carrier this is nothing more than a bgp update from
you...)

  3:
  - monthly (or one-time) cost, you may be able to initiate it
one-time and walk away, with the attendant costs in management of
adhoc contracts/etc.
  - routing changes (do you control at least the /24 around the
resource you need to mitigate?)
  - tunneling complexity to return to you the 'clean' traffic
  - dns shennigans for those ddos-mitigation folks who don't do
routing change, or prefer DNS ones.

pick what works for you... or your charity org.

-chris



More information about the NANOG mailing list