nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: D/DoS mitigation hardware/software needed.

From: kowsik <kowsik () gmail com>
Date: Mon, 4 Jan 2010 18:22:29 -0800
If you want to recreate D/DoS from captures (for testing purposes) you
might want to check out:

http://www.pcapr.net/dos

This lets you validate how your mitigation solutions are holding up.

K.

On Mon, Jan 4, 2010 at 1:19 PM, Rick Ernst <nanog () shreddedmail com> wrote:

Looking for D/DoS mitigation solutions.  I've seen Arbor Networks mentioned
several times but they haven't been responsive to literature requests (hint,
if anybody from Arbor is looking...).  Our current upstream is 3x GigE from
3 different providers, each landing on their own BGP endpoint feeding a
route-reflector core.

I see two possible solutions:
- Netflow/sFlow/***Flow  feeding a BGP RTBH
- Inline device

Netflow can lag a bit in detection.  I'd be concerned that inline devices
add an additional point of failure.  I'm worried about both failing-open
(e.g. network outage) and false-positives.

My current system is a home-grown NetFlow parser that spits out syslog to
our NOC to investigate potential attacks and manually enter them into our
RTBH.


Any suggestions other than Arbor?  Any other mechanisms being used?  My idea
is to quash the immediate problem and work additional mitigation with
upstreams if needed.

I could probably add some automation to my NetFlow/RTBH setup, but I still
need to worry about false-positives. I'd rather somebody else do the hard
work of finding the various edge-cases.

Thanks,
Rick
Previous By Date Next
Previous By Thread Next

Current thread: