Re: ddos attacks

["dennis () justipit com" <dennis () justipit com>]

I have to disagree with the scaling as I've personally deployed both Arbor and Radware in carrier and MSSP 
environments, including tier 1, CLEC and cable operators.  Deployment models vary from infrastructure protection to 
scrubbing center and top of rack solutions.  Happy to discuss with you further offlist.

Cheers

Dennis

Sent from my Sprint phone.

----- Reply message -----
From: "Eugeniu Patrascu" <eugen () imacandi net>
To: "dennis () justipit com" <dennis () justipit com>
Cc: <fergdawgster () mykolab com>, "NANOG list" <nanog () nanog org>
Subject: ddos attacks
Date: Thu, Dec 19, 2013 3:51 PM

On Thu, Dec 19, 2013 at 10:30 PM, dennis () justipit com <dennis () justipit com> wrote:

Just about every security, network and ADC vendor out there is claiming anti-dos capabilities.  Be careful when going 
that route and do your own validation.  I suggest looking at Radware and Arbor (both leaders in the market). To 
successfully mitigate an attack the ideal solutions will weed out the attack and allow legitimate traffic to continue.  
Many of the solutions in the commercial market are not much more than rate limiters and are not very forgiving.  Just 
as important realize while spoofed udp floods are popular they are oftened only the first vector, if successfully 
mitigated attackers quickly adjust and follow with more complex vectors such as application attacks toward http, ssl, 
dns query floods, etc.. Remember their goal is to bring you down, , divert your attention while they steal your data or 
perhaps transfer funds.  They will go to far lengths to achieve their end result.  As you can imagine it's much harder 
to identify the attack characteristics or for that matter the attacker in these more complex cases.  In summary, I'm a 
firm believer in a hybrid approach with combination of infrastructure acls, rtbh, qos, URPF, tcp stack hardening, local 
anti-ddos appliances for application attacks and network floods under link capacity to allow you to stay up while 
deciding to shift routes into cloud band ability to swing up stream to cloud scrubbing center (in house or third party).


I know a bit about Radware, and what they do is to learn a traffic pattern from where traffic usually comes and when in 
case of exceeding a certain threshold, they start dropping traffic from new sources never seen before and then drop 
some seen before traffic. This works if you are a company with a very localized visitor base (like banking site for 
certain national or local bank, e-shop and so on) but it kind of doesn't scale that much when it comes to we have 
people all over the place and we get DDoS-ed with legitimate requests that only consume server resources.



What providers do in some regions is to blackhole your subnet if you reach a certain number of packets per second. It 
sucks, but hey, they also have infrastructure to protect.


Eugeniu