Re: D/DoS mitigation hardware/software needed.

[Rick Ernst <nanog () shreddedmail com>]

I thought I had mentioned outsourcing earlier, but I don't see it in the
thread...

The two mechanisms I've seen for outsources D/DoS are DNS manipulation, or
essentially remote BGP peering with an tunnel back to the local presence.

Even if we are purely hosting, DNS manipulation doesn't do anything for
attacks against an IP.
For remote BGP peering/tunneling, you are are adding additional complexity
and moving control outside your network.

As a service-provider/data-center, it seems like outsourcing would be either
ineffective and/or removes the "big red button" in case of trouble.

Am I missing something, overly paranoid, or are there other mechanisms for
outsourced protection?

Rick


On Mon, Jan 11, 2010 at 6:33 AM, Stefan Fouant <
sfouant () shortestpathfirst net> wrote:

> > -----Original Message-----
> > From: Christopher Morrow [mailto:morrowc.lists () gmail com]
> > Sent: Monday, January 11, 2010 2:05 AM
> >
> > On Mon, Jan 11, 2010 at 12:26 AM, jul <jul_bsd () yahoo fr> wrote:
> > > Martin Hannigan wrote on 05/01/10 16:50:
> > >
> > > Outsourced services have higher cost than Arbor but can handled more.
> >
> > Do they? VerizonBusiness's solution was $3250US/month so ~$90USk over
> > 2yrs. Arbor, I think, for a TMS + collectors was +100k.
>
> Don't forget to factor in OpEx.  This can often tilt the scales in favor of
> one vs. the other.
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D