DDoS protection: Corero
nanogml at Mail.DDoS-Mitigator.net
Thu May 12 15:44:18 UTC 2016
On 05/12/16 at 01:21pm, Ragnar Sigurðsson Joensen wrote:
> Quick question. Is there anyone on this list using Corero for DDoS protection? If so I'd much appreciate an off-list review of it. Thanks in advance.
hummm ... just some generic comments when comparing "DDoS protection"
one DDoS solution is NOT necessarily a cost-effective mitigation
against all the various types of DDoS attacks
various types of attacks:
- tcp-based DDoS attacks on any port are best mitigated with
iptables + tarpits ( in-house appliance could handle up to 100gig/sec )
the attacking zombie bots should crash long before they can
affect your servers
( 100,000 ddos packet/sec * 2Kbyte/packet * 120sec tcp timeouts )
- udp-based DDoS attacks are best mitigated by confirming that
your DNS server/app, NTP server/app, SNMP server/app, NFS, X11,
etc, etc properly patched and hardened
your ISP will most likely have to be involved to mitigate
incoming UDP and ICMP based attacks using various methods
like flow analysis/collection/mediation, rtbh, bgp, etc
# if you like the idea of just 'drop the packet" or "limit it",
# then, it's too late as you have already received the DDoS packets
# and the damage is done ...
- volumetric attacks ( say over 10gigbit/s ) probably will
require various data-centers spread across the oceans
or use the cloud ...
- you will need a security policy ( infrastructure policy )
to define "legitimate traffic" and possibly incomign DDoS attacks
simple minded rule:
web servers should only run "apache/etc", all packets to the
65,534 ports are attacks
mail servers should only run "sendmail/etc", all packets to
the other 65,534 ports are attacks
- DDoS attacks consisting of silly spam, virii, worms should be
non-issues and imho, is easily mitigated w/ dozens of different
foss tools and "company/computer/infrastructure policy"
magic pixie dust
# http://DDoS-Mitigator.net ..... http://DDoS-Simulator.net ....
More information about the NANOG