nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS solution recommendation

From: Ammar Zuberi <ammar () fastreturn net>
Date: Sun, 11 Jan 2015 10:30:22 +0400
You'd notice that most people don't really know how big the attack that they're sending is. I've done a lot of research 
into how these attacks actually work and most of them are done by kids who don't really know what they're doing.

To them an attack is something that will take their target down (usually a home connection or a game server). If this 
doesn't happen, they fire off complaints to the person that runs the DDoS service.

Its a whole industry out there, and they're generally far ahead of us.

Ammar


On 11 Jan 2015, at 9:43 am, Damian Menscher <damian () google com> wrote:


On Sat, Jan 10, 2015 at 8:37 PM, Paul S. <contact () winterei se> wrote:

While it indeed is true that attacks up to 600 gbit/s (If OVH and
CloudFlare's data is to be believed) have been known to happen in the wild,
it's very unlikely that you need to mitigate anything close.


Agree that trusting others' numbers is unwise (there's a bias to inflate
sizes), but from personal experience I can say that their claims are
plausible.

The average attack is usually around the 10g mark (That too barely) -- so

even solutions that service up to 20g work alright.


I'm not sure how to compute an "average" -- I generally just track the
maximums.  I suspect some reports of 10Gbps attacks are simply that the
attack saturated the victim's link, and they were unable to measure the
true size.  (I agree there are many actual 10Gbps attacks also, of course
-- attackers know this size will usually work, so they don't waste
resources.)

Obviously, concerns are different if you're an enterprise that's a DDoS

magnet -- but for general service providers selling 'protected services,'
food for thought.



Even if you're just a hosting provider, your customers may be DDoS
magnets.  Coincidentally, at the time you pressed "send", we were seeing a
40Gbps attack targeting a customer.

Damian


On 1/11/2015 午後 12:48, Damian Menscher wrote:


On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín <mmg () transtelco net> wrote:

I was wondering what are are using for DDOS protection in your networks.

We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
advantages/disadvantages of using a cloud base vs an on-premise solution.
It would be great if you can share your experience on this matter.

On-premise solutions are limited by your own bandwidth.  Attacks have

been
publicly reported at 400Gbps, and are rumored to be even larger.  If you
don't have that much network to spare, then packet loss will occur
upstream
of your mitigation.  Having a good relationship with your network
provider(s) can help here, of course.

If you go with a cloud-based solution, be wary of their SLA.  I've seen
some claim 100% uptime (not believable) but of course no refund/credits
for
downtime.  Another provider only provides 20Gbps protection, then will
null-route the victim.

On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble <charles () thefnf org>
wrote:

Also how are folks testing ddos protection? What lab gear,tools,methods

are you using to determine effectiveness of the mitigation.


Live-fire is the cheapest approach (just requires some creative trolling)
but if you want to control the "off" button, cloud VMs can be tailored to
your needs.  There are also legitimate companies that do network stress
testing.

Keep in mind that you need to test against a variety of attacks, against
all components in the critical path.  Attackers aren't particularly
methodical, but will still randomly discover any weaknesses you've
overlooked.

Damian
Previous By Date Next
Previous By Thread Next

Current thread: