DDoS protection: Corero

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Thu May 12 15:44:18 UTC 2016


On 05/12/16 at 01:21pm, Ragnar Sigurðsson Joensen wrote:
> Quick question. Is there anyone on this list using Corero for DDoS protection? If so I'd much appreciate an off-list review of it. Thanks in advance.

hummm ... just some generic comments when comparing "DDoS protection"

one DDoS solution is NOT necessarily a cost-effective mitigation
against all the various types of DDoS attacks

various types of attacks:

   - tcp-based DDoS attacks on any port are best mitigated with 
   iptables + tarpits ( in-house appliance could handle up to 100gig/sec )

   the attacking zombie bots should crash long before they can 
   affect your servers
   ( 100,000 ddos packet/sec * 2Kbyte/packet * 120sec tcp timeouts )

   - udp-based DDoS attacks are best mitigated by confirming that
   your DNS server/app, NTP server/app, SNMP server/app, NFS, X11,
   etc, etc properly patched and hardened

   your ISP will most likely have to be involved to mitigate
   incoming UDP and ICMP based attacks using various methods
   like flow analysis/collection/mediation, rtbh, bgp, etc

#  if you like the idea of just 'drop the packet" or "limit it",
#  then, it's too late as you have already received the DDoS packets
#  and the damage is done ...

   - volumetric attacks ( say over 10gigbit/s ) probably will 
  require various data-centers spread across the oceans
  or use the cloud ...

   - you will need a security policy ( infrastructure policy ) 
   to define "legitimate traffic" and possibly incomign DDoS attacks

   simple minded rule:

	web servers should only run "apache/etc", all packets to the
	65,534 ports are attacks

	mail servers should only run "sendmail/etc", all packets to 
	the other 65,534 ports are attacks

  - DDoS attacks consisting of silly spam, virii, worms should be 
  non-issues and imho, is easily mitigated w/ dozens of different 
  foss tools and "company/computer/infrastructure policy"

magic pixie dust
# http://DDoS-Mitigator.net ..... http://DDoS-Simulator.net ....

More information about the NANOG mailing list