nanog mailing list archives
Re: DDOS solution recommendation
From: Max Clark <max.clark () gmail com>
Date: Mon, 12 Jan 2015 15:29:45 -0800
Ditto - we've been seeing average attack size pushing the 40-50 Gbps mark. The "serious" attacks are much, much larger. On Sat, Jan 10, 2015 at 8:50 PM, Ammar Zuberi <ammar () fastreturn net> wrote:
I'd beg to differ on this one. The average attacks we're seeing are double that, around the 30-40g mark. Since NTP and SSDP amplification began, we've been seeing all kinds of large attacks. Obviously, these can easily be blocked upstream to your network. Hibernia Networks blocks them for us. AmmarOn 11 Jan 2015, at 8:37 am, Paul S. <contact () winterei se> wrote: While it indeed is true that attacks up to 600 gbit/s (If OVH andCloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close.The average attack is usually around the 10g mark (That too barely) --so even solutions that service up to 20g work alright.Obviously, concerns are different if you're an enterprise that's a DDoSmagnet -- but for general service providers selling 'protected services,' food for thought.On 1/11/2015 午後 12:48, Damian Menscher wrote:On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín <mmg () transtelco net>wrote:I was wondering what are are using for DDOS protection in yournetworks. Weare currently evaluating different options (Arbor, Radware, NSFocus, RioRey) and I would like to know if someone is using the cloud based solutions/scrubbing centers like Imperva, Prolexic, etc and what aretheadvantages/disadvantages of using a cloud base vs an on-premisesolution.It would be great if you can share your experience on this matter.On-premise solutions are limited by your own bandwidth. Attacks havebeenpublicly reported at 400Gbps, and are rumored to be even larger. If you don't have that much network to spare, then packet loss will occurupstreamof your mitigation. Having a good relationship with your network provider(s) can help here, of course. If you go with a cloud-based solution, be wary of their SLA. I've seen some claim 100% uptime (not believable) but of course no refund/creditsfordowntime. Another provider only provides 20Gbps protection, then will null-route the victim.On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble <charles () thefnf org>wrote:Also how are folks testing ddos protection? What lab gear,tools,methods are you using to determine effectiveness of the mitigation.Live-fire is the cheapest approach (just requires some creativetrolling)but if you want to control the "off" button, cloud VMs can be tailoredtoyour needs. There are also legitimate companies that do network stress testing. Keep in mind that you need to test against a variety of attacks, against all components in the critical path. Attackers aren't particularly methodical, but will still randomly discover any weaknesses you've overlooked. Damian
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation Mehmet Akcin (Jan 08)
- RE: DDOS solution recommendation Romeo Czumbil (Jan 08)
- Re: DDOS solution recommendation Mel Beckman (Jan 08)
- Re: DDOS solution recommendation Pavel Odintsov (Jan 09)
- Re: DDOS solution recommendation Amit Rai (Jan 09)
- Re: DDOS solution recommendation Pavel Odintsov (Jan 09)
- Re: DDOS solution recommendation Charles N Wyble (Jan 10)
- Re: DDOS solution recommendation Damian Menscher (Jan 10)
- Re: DDOS solution recommendation Paul S. (Jan 10)
- Re: DDOS solution recommendation Ammar Zuberi (Jan 10)
- Re: DDOS solution recommendation Paul S. (Jan 10)
- Re: DDOS solution recommendation Max Clark (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 10)
- Re: DDOS solution recommendation Paul S. (Jan 10)
- Re: DDOS solution recommendation Paul S. (Jan 10)
- Re: DDOS solution recommendation Damian Menscher (Jan 10)
- Re: DDOS solution recommendation Ammar Zuberi (Jan 10)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Hank Nussbacher (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)