nanog mailing list archives
Re: Outsourcing DDOS
From: Andreas Echavez <andreas () livejournalinc com>
Date: Mon, 24 Oct 2011 15:46:55 -0700
Having used some of the largest solutions, I do disagree. After quickly searching google for Verisign, I could find a few documents that claim they have ~350Gb of capacity. On Prolexic's website, they claim to have the largest <http://www.prolexic.com/why-prolexic/index.html> total mitigation capacity at 375Gb. Now if you're talking about upstream providers (ATT/Verizon), even if your upstream mitigates the traffic, do you really N+1 redundancy during an attack? Do the providers have an SLA guaranteeing mitigation within a certain timeframe? Finally, and most importantly to us, was how much do they charge per attack, or if it a flat "insurance" type agreement where they block unlimited attacks. Total capacity certainly isn't the most important factor, but a sane pricing policy certainly was. -Andreas On Mon, Oct 24, 2011 at 12:29 PM, Stefan Fouant < sfouant () shortestpathfirst net> wrote:
On 10/24/2011 1:54 PM, Andreas Echavez wrote: obviously they will get blocked. My personal experience is that whenyou're dealing with a DoS at the scale that you need Prolexic, there is simply no one else that can handle that level of traffic.Andreas, I think there are a lot of people on this list that would argue with that statement. As was mentioned earlier, AT&T, Verizon, and several others including Verisign have very ample networks capable of handling attacks just as large as Prolexic, if not bigger. One thing to note about Prolexic, where it stands out from some of the others is that it is a completely off-net solution. Many of the other offerings from folks like Verizon require you to have WAN circuits connected to their network in order to avail of such a service (in other words, they will only scrub that which would normally traverse their network on it's way towards your WAN interface). Others like Verisign have (smartly) adopted a similar model to that of Prolexic. They understand that requiring a physical connection into a provider's cloud is a monolithic approach (and certainly runs counter to today's mantra of offering up cloud-based services). Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate
Current thread:
- Outsourcing DDOS samuel.cunningham (Oct 19)
- Re: Outsourcing DDOS Vlad Galu (Oct 19)
- Re: Outsourcing DDOS Jimmy Hess (Oct 22)
- Re: Outsourcing DDOS Andreas Echavez (Oct 24)
- Re: Outsourcing DDOS Stefan Fouant (Oct 24)
- Re: Outsourcing DDOS Christopher Morrow (Oct 24)
- Re: Outsourcing DDOS Stefan Fouant (Oct 24)
- Re: Outsourcing DDOS Andreas Echavez (Oct 24)
- Re: Outsourcing DDOS Christopher Morrow (Oct 24)
- Re: Outsourcing DDOS Jimmy Hess (Oct 22)
- Re: Outsourcing DDOS Vlad Galu (Oct 19)
- Re: Outsourcing DDOS Brett Watson (Oct 24)
- Re: Outsourcing DDOS Andreas Echavez (Oct 24)
- Re: Outsourcing DDOS Andreas Echavez (Oct 24)
- <Possible follow-ups>
- Re: Outsourcing DDOS Hank Nussbacher (Oct 20)
- Re: Outsourcing DDOS Stefan Fouant (Oct 22)
- Re: Outsourcing DDOS Dennis (Oct 22)