Re: ddos attacks

[email protected] dennis at
Thu Dec 19 21:05:10 UTC 2013

I have to disagree with the scaling as I've personally deployed both Arbor and Radware in carrier and MSSP environments, including tier 1, CLEC and cable operators.  Deployment models vary from infrastructure protection to scrubbing center and top of rack solutions.  Happy to discuss with you further offlist.



Sent from my Sprint phone.

----- Reply message -----
From: "Eugeniu Patrascu" <eugen at>
To: "dennis at" <dennis at>
Cc: <fergdawgster at>, "NANOG list" <nanog at>
Subject: ddos attacks
Date: Thu, Dec 19, 2013 3:51 PM

On Thu, Dec 19, 2013 at 10:30 PM, dennis at <dennis at> wrote:

Just about every security, network and ADC vendor out there is claiming anti-dos capabilities.  Be careful when going that route and do your own validation.  I suggest looking at Radware and Arbor (both leaders in the market). To successfully mitigate an attack the ideal solutions will weed out the attack and allow legitimate traffic to continue.  Many of the solutions in the commercial market are not much more than rate limiters and are not very forgiving.  Just as important realize while spoofed udp floods are popular they are oftened only the first vector, if successfully mitigated attackers quickly adjust and follow with more complex vectors such as application attacks toward http, ssl, dns query floods, etc.. Remember their goal is to bring you down, , divert your attention while they steal your data or perhaps transfer funds.  They will go to far lengths to achieve their end result.  As you can imagine it's much harder to identify the attack characteristics or for that matter the attacker in these more complex cases.  In summary, I'm a firm believer in a hybrid approach with combination of infrastructure acls, rtbh, qos, URPF, tcp stack hardening, local anti-ddos appliances for application attacks and network floods under link capacity to allow you to stay up while deciding to shift routes into cloud band ability to swing up stream to cloud scrubbing center (in house or third party).

I know a bit about Radware, and what they do is to learn a traffic pattern from where traffic usually comes and when in case of exceeding a certain threshold, they start dropping traffic from new sources never seen before and then drop some seen before traffic. This works if you are a company with a very localized visitor base (like banking site for certain national or local bank, e-shop and so on) but it kind of doesn't scale that much when it comes to we have people all over the place and we get DDoS-ed with legitimate requests that only consume server resources.

What providers do in some regions is to blackhole your subnet if you reach a certain number of packets per second. It sucks, but hey, they also have infrastructure to protect.


More information about the NANOG mailing list