Re: D/DoS mitigation hardware/software needed.

[Rick Ernst <nanog () shreddedmail com>]

I looked at one of the suggested out-sourced providers.  Based on a sample
size of 1, the mitigating mechanisms are DNS redirection and BGP/tunneling.

While both of these solutions may be useful for an end-user (even large
ones), I don't see them fitting in an SP environment.
"If something goes wrong, I want my own, local, big-red button."

Rick


On Tue, Jan 5, 2010 at 7:50 AM, Martin Hannigan <martin () theicelandguy com>wrote:

> On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog () shreddedmail com> wrote:
>
> > Looking for D/DoS mitigation solutions.  I've seen Arbor Networks
> > mentioned
> > several times but they haven't been responsive to literature requests
> > (hint,
> > if anybody from Arbor is looking...).  Our current upstream is 3x GigE
> > from
> > 3 different providers, each landing on their own BGP endpoint feeding a
> > route-reflector core.
> >
> > I see two possible solutions:
> > - Netflow/sFlow/***Flow  feeding a BGP RTBH
> > - Inline device
>
>      - Outsource to service provider
>
>
> Netflow can lag a bit in detection.  I'd be concerned that inline devices
> > add an additional point of failure.  I'm worried about both failing-open
> > (e.g. network outage) and false-positives.
>
> How often are you getting DDoS'd?
>
> The financials of using a managed service provider vs.
> buy-all-your-own-grrovy-stuff can be fairly compelling especially if the
> amount of DDoS you experience is almost nil.
>
> Re: Arbor. I don't have any recent experience, but they've been around for
> a long time, have a very experienced team that understands ISP and
> enterprise and the product is mature. Hard to go wrong if you can justify
> the costs. YMMV.
>
> Best,
>
> -M<
>
>
> --
> Martin Hannigan                               martin () theicelandguy com
> p: +16178216079
> Power, Network, and Costs Consulting for Iceland Datacenters and Occupants