DDOS solution recommendation

Paul S. contact at winterei.se
Sun Jan 11 05:03:06 UTC 2015


Seeing a lot of SSDP too, but attacks on scales that large have been 
rare (at least for us).

Have however seen a few 40+ ones, yeah.

I suppose it all comes down to how much you actually /need/ to stand up 
against. For enterprises that can't afford to go down, yeah... :(

On 1/11/2015 午後 01:50, Ammar Zuberi wrote:
> I'd beg to differ on this one. The average attacks we're seeing are double that, around the 30-40g mark. Since NTP and SSDP amplification began, we've been seeing all kinds of large attacks.
>
> Obviously, these can easily be blocked upstream to your network. Hibernia Networks blocks them for us.
>
> Ammar
>
>> On 11 Jan 2015, at 8:37 am, Paul S. <contact at winterei.se> wrote:
>>
>> While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close.
>>
>> The average attack is usually around the 10g mark (That too barely) -- so even solutions that service up to 20g work alright.
>>
>> Obviously, concerns are different if you're an enterprise that's a DDoS magnet -- but for general service providers selling 'protected services,' food for thought.
>>
>>> On 1/11/2015 午後 12:48, Damian Menscher wrote:
>>>> On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín <mmg at transtelco.net> wrote:
>>>>
>>>> I was wondering what are are using for DDOS protection in your networks. We
>>>> are currently evaluating different options (Arbor, Radware, NSFocus,
>>>> RioRey) and I would like to know if someone is using the cloud based
>>>> solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
>>>> advantages/disadvantages of using a cloud base vs an on-premise solution.
>>>> It would be great if you can share your experience on this matter.
>>> On-premise solutions are limited by your own bandwidth.  Attacks have been
>>> publicly reported at 400Gbps, and are rumored to be even larger.  If you
>>> don't have that much network to spare, then packet loss will occur upstream
>>> of your mitigation.  Having a good relationship with your network
>>> provider(s) can help here, of course.
>>>
>>> If you go with a cloud-based solution, be wary of their SLA.  I've seen
>>> some claim 100% uptime (not believable) but of course no refund/credits for
>>> downtime.  Another provider only provides 20Gbps protection, then will
>>> null-route the victim.
>>>
>>>> On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble <charles at thefnf.org> wrote:
>>>>
>>>> Also how are folks testing ddos protection? What lab gear,tools,methods
>>>> are you using to determine effectiveness of the mitigation.
>>> Live-fire is the cheapest approach (just requires some creative trolling)
>>> but if you want to control the "off" button, cloud VMs can be tailored to
>>> your needs.  There are also legitimate companies that do network stress
>>> testing.
>>>
>>> Keep in mind that you need to test against a variety of attacks, against
>>> all components in the critical path.  Attackers aren't particularly
>>> methodical, but will still randomly discover any weaknesses you've
>>> overlooked.
>>>
>>> Damian




More information about the NANOG mailing list