Experience on Wanguard for 'anti' DDOS solutions

Mike Hammett nanog at ics-il.net
Wed Jul 6 12:42:14 UTC 2016


(I debated starting a new thread, only to have someone point me to previous ones vs. replying to an old post. I thought the latter was less offensive.) 

Did you find anything else near the price range that didn't have these deficiencies? 
As an eyeball network, would I have much to worry about regarding non-layer3/4 attacks? 
"Considering how easy it is to blocklayer 3/4 attacks on your own, their filtering clusters don't offer much value." I am aware of manual ACLs, but are there other automated methods (near this price range) to handle the 3/4 attacks? 
"it runs out of memory quickly" How much memory are we talking here? Reasonable to mitigate that downside by just stuffing more RAM in the box? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Richard Hesse" <richard.hesse at weebly.com> 
To: "NANOG Mailing List" <nanog at nanog.org> 
Sent: Friday, August 28, 2015 1:23:01 PM 
Subject: Re: Experience on Wanguard for 'anti' DDOS solutions 

We've tried their products off an on for the past 3-4 years. Here are 
my impressions: 

* UI stuck in 1999. Can't click zoom, drill down, etc. 
* Inflexible UI. Want a bandwidth graph with only egress or ingress? Too bad. 
* Inexpensive. I don't like that it's licensed yearly, but it's not 
too much money. 
* Inaccurate flow processing. Do you have iBGP peering sessions 
between border routers? WANGuard will struggle mightily to correctly 
classify the traffic as internal or external. 
* Yes, it runs out of memory quickly during a spoofed SYN flood with 
many sources. This is due to setting the Top generator to Full. If you 
just want to mitigate and not have any insight into network data, set 
this to Extended and you'll be fine. But if you want to use 
WANGuard/WANSight as a network intelligence tool as well, you need to 
set the generator to Full and it will fall over. 
* Doesn't process IPFIX flow data properly. There's an old thread on 
the j-nsp list about this. Basically their support claims Juniper is 
broken (which I don't doubt) but then refuses to work around the 
issue. None of our other flow processing tools have these problems. 
* Support is responsive at times and is always cranky. I brought them 
two bonafide bugs in their product that they refused to admit. It got 
to the point where I asked for my money back and I think someone in 
sales lit up their support team. I get the feeling that the support 
team is staffed with employees who really don't like their job or 
working with customers. A bad combination. 
* The TAP generators with Myricom cards work well. The docs say you 
can use SolarFlare for TAPs but they don't work at all. Again, they 
blame SolarFlare and say that the cards are too complicated....but 
fail to update their documentation saying this. 
* Doesn't support any kind of layer 7 detection or filtering. It's all 
very rudimentary layer 3-4 stuff. Considering how easy it is to block 
layer 3/4 attacks on your own, their filtering clusters don't offer 
much value. 
* No real scale out solution on the detection side. It's basically 
scale up your server or use clunky tech like NFS to share out 
directories across managers. 
* Works well enough to get you a rough idea of what's going on. It's 
also decently cheap. 

We use it as one part of our attack detection toolset. We don't use it 
for on-site attack mitigation. I'd recommend it if you don't want to 
use flow data and only want to use it for intelligence on TAP ports. 

-richard 

On Mon, Aug 10, 2015 at 6:58 AM, Marcel Duregards 
<marcel.duregards at yahoo.fr> wrote: 
> Dear Nogers, 
> We are currently evaluating some DDOS detection/mitigation solutions. 
> Do you have any inputs/experiences on Wanguard from Andrisoft, please ?https://www.andrisoft.com/software/wanguard 
> Currently we are just interested on the packets/flows sensors with the console for detection and RTBH trigger. Maybe the packet filtering (for scrubbing) will come later. 
> Best Regards,-Marcel Duregards 
> 
> 
> 




More information about the NANOG mailing list