Re: D/DoS mitigation hardware/software needed.

[Jeffrey Lyon <jeffrey.lyon () blacklotus net>]

We have substantial direct experience with both RioRey and IntruGuard.
RR is more plug and play while IG is more robust but both are great.
Use a robust firewall such as a Netscreen in front of your mitigation
tool.

Best regards, Jeff


On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog () shreddedmail com> wrote:
> Looking for D/DoS mitigation solutions.  I've seen Arbor Networks mentioned
> several times but they haven't been responsive to literature requests (hint,
> if anybody from Arbor is looking...).  Our current upstream is 3x GigE from
> 3 different providers, each landing on their own BGP endpoint feeding a
> route-reflector core.
>
> I see two possible solutions:
> - Netflow/sFlow/***Flow  feeding a BGP RTBH
> - Inline device
>
> Netflow can lag a bit in detection.  I'd be concerned that inline devices
> add an additional point of failure.  I'm worried about both failing-open
> (e.g. network outage) and false-positives.
>
> My current system is a home-grown NetFlow parser that spits out syslog to
> our NOC to investigate potential attacks and manually enter them into our
> RTBH.
>
>
> Any suggestions other than Arbor?  Any other mechanisms being used?  My idea
> is to quash the immediate problem and work additional mitigation with
> upstreams if needed.
>
> I could probably add some automation to my NetFlow/RTBH setup, but I still
> need to worry about false-positives. I'd rather somebody else do the hard
> work of finding the various edge-cases.
>
> Thanks,
> Rick



-- 
Jeffrey Lyon, Leadership Team
jeffrey.lyon () blacklotus net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Follow us on Twitter at http://twitter.com/ddosprotection to find out
about news, promotions, and (gasp!) system outages which are updated
in real time.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."