RE: DDoS mitigation services from SPs

["Stefan Fouant" <sfouant () shortestpathfirst net>]

> -----Original Message-----
> From: William McCall [mailto:william.mccall () gmail com]
> Sent: Wednesday, April 28, 2010 10:09 AM
> To: nanog () nanog org
> Subject: DDoS mitigation services from SPs
>
> All:
>
> I did some searching and have not found any concrete replies on the
> list, but what carriers can offer L3 DDoS mitigation? Specifically, I
> noticed an old UUnet offering, but it seems like I must be speaking
> the wrong language to my sales drones. Specifically, we're dealing
> with AT&T, Qwest and Verizon Business. My thought is that they all
> offered some type of service like this, but my security folks have
> been driving this and having limited success.
>
> Names of other SPs (we're looking at Verisign) is helpful, but we are
> stuck with the Dallas area.
>
> Note: I am not interested in changing DNS records and prefixes should
> be able to be advertised through BGP like normal. (Apparently, people
> like to do funky DNS stuff to make this work and sometimes don't want
> to do BGP in other scenarios.)

Verizon Business and AT&T both have DDoS Detection & Mitigation Services
available, as do other providers such as Tata, Prolexic, and Verisign.
Providers like AT&T, Verizon, and Tata unfortunately do not sell services
off-net, so you'll need to have the sites you want protected connected to
their networks.  Similarly, these providers tend to put "all their eggs in
one basket" by using a singular technology for their service.  On the other
hand, providers like Prolexic and Verisign have very robust offerings
selling off-net and utilizing multiple vendors as they understand a
one-size-fits-all doesn't work.  I'd strongly advocate talking to the
Verisign folks as they really seem to be attracting all the top talent right
now - I'd be willing to bet their offering is the one that others will
eventually emulate.

Cheers,

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D