nanog mailing list archives
Re: D/DoS mitigation hardware/software needed.
From: Rick Ernst <nanog () shreddedmail com>
Date: Tue, 5 Jan 2010 07:55:03 -0800
I looked at one of the suggested out-sourced providers. Based on a sample size of 1, the mitigating mechanisms are DNS redirection and BGP/tunneling. While both of these solutions may be useful for an end-user (even large ones), I don't see them fitting in an SP environment. "If something goes wrong, I want my own, local, big-red button." Rick On Tue, Jan 5, 2010 at 7:50 AM, Martin Hannigan <martin () theicelandguy com>wrote:
On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog () shreddedmail com> wrote:Looking for D/DoS mitigation solutions. I've seen Arbor Networks mentioned several times but they haven't been responsive to literature requests (hint, if anybody from Arbor is looking...). Our current upstream is 3x GigE from 3 different providers, each landing on their own BGP endpoint feeding a route-reflector core. I see two possible solutions: - Netflow/sFlow/***Flow feeding a BGP RTBH - Inline device- Outsource to service provider Netflow can lag a bit in detection. I'd be concerned that inline devicesadd an additional point of failure. I'm worried about both failing-open (e.g. network outage) and false-positives.How often are you getting DDoS'd? The financials of using a managed service provider vs. buy-all-your-own-grrovy-stuff can be fairly compelling especially if the amount of DDoS you experience is almost nil. Re: Arbor. I don't have any recent experience, but they've been around for a long time, have a very experienced team that understands ISP and enterprise and the product is mature. Hard to go wrong if you can justify the costs. YMMV. Best, -M< -- Martin Hannigan martin () theicelandguy com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Current thread:
- Re: D/DoS mitigation hardware/software needed., (continued)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 04)
- Re: D/DoS mitigation hardware/software needed. John Kristoff (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- RE: D/DoS mitigation hardware/software needed. Raj Singh (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Rick Ernst (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. kowsik (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Martin Hannigan (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Rick Ernst (Jan 05)
- Re: D/DoS mitigation hardware/software needed. jul (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 10)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 11)
- Re: D/DoS mitigation hardware/software needed. Rick Ernst (Jan 11)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 11)
- Re: D/DoS mitigation hardware/software needed. Rick Ernst (Jan 11)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 11)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 11)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 11)
- Re: D/DoS mitigation hardware/software needed. Hank Nussbacher (Jan 11)