DDoS Mitigation

Tin, James jtin at akamai.com
Wed Nov 4 22:12:43 UTC 2015

This is my first post to Nanog. So please don't flame me down ;)

Hi Mario.

Typically the cost of Ddos mitigation is charged on the amount of clean traffic inbound to your network, the number of protected /24 ranges you need protected and the number of datacentres you want to protect.

Ideally the Ddos mitigation solution should block attacks as close as possible to the source of the attack. One good way of doing this is by leveraging anycast from multiple scrubbing centres and ensure there is enough backbone bandwidth between each scrubbing centre to deliver clean traffic.

Blocking it at your upstream transit provider may be too late for significant attacks as any service provider between you and the source could black hole the traffic before it gets to your peers. This results in legitimate traffic not being able to reach your network.

Paras is correct, attacks could be on any port and often multivector and change within an attack campaign if attackers see one vector is not effective. So each attack really needs to be dealt with dynamically to ensure there are no false positives (something is blocked when it shouldn't be)

Unfortunately it is very simple to intimate a Ddos attack, but the cost of mitigation is very high. So the solution you choose really depends on the monetary cost of the outages, clients you have and whether the cost can be amortised over your client base.

I have seen service providers offer premium hosting services which have Ddos mitigation, using separate infrastructure and links to their normal customers. This reduces the cost of mitigation while also containing the risks and the collateral damage.

There are also different Ddos mitigation solutions depending on the service protocols your are offering. Ie web traffic could be mitigated with cdn vs all protocols and ports with BGP via a scrubbing centre.

Sent from my iPhone
James Tin
Enterprise Security Architect APJ
Join the Conversation.
Log on to Akamai Community.     [http://www.akamai.com/images/img/community-icon-large.png] <https://community.akamai.com/>


Office: +<tel:+1.617.444.1234>61 9008 4906
Cell: +<tel:+1.617.444.1234>61 466 961 555
        Akamai Technologies
Level 7, 76 Berry St
North Sydney, NSW 2071

Connect with Us:        [http://www.akamai.com/images/img/akamai-community-icon.jpg] <https://community.akamai.com/>  [http://www.akamai.com/graphics/misc/rs_icon_small.png] <http://blogs.akamai.com/>  [http://www.akamai.com/graphics/misc/tw_icon_small.png] <https://twitter.com/akamai>  [http://www.akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/AkamaiTechnologies>  [http://www.akamai.com/graphics/misc/in_icon_small.png] <http://www.linkedin.com/company/akamai-technologies>  [http://www.akamai.com/graphics/misc/yt_icon_small.png] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>

On 5 Nov 2015, at 05:13, Paras <paras at protrafsolutions.com<mailto:paras at protrafsolutions.com>> wrote:


Just blocking port 19 won't cut it, as we often see Chargen attacks that run on nonstandard ports as well


On 11/4/2015 12:33 PM, Mario Eirea wrote:
Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to expect as far as ballpark pricing from my ISP. Some background, we are getting hit with a chargen attack that comes and goes and is saturating our 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want us to go through our rep, in the process making this go on longer that is necessary. Any feedback would be appreciated.



More information about the NANOG mailing list