Re: DDoS Mitigation

["Tin, James" <jtin () akamai com>]

This is my first post to Nanog. So please don't flame me down ;)

Hi Mario.

Typically the cost of Ddos mitigation is charged on the amount of clean traffic inbound to your network, the number of 
protected /24 ranges you need protected and the number of datacentres you want to protect.

Ideally the Ddos mitigation solution should block attacks as close as possible to the source of the attack. One good 
way of doing this is by leveraging anycast from multiple scrubbing centres and ensure there is enough backbone 
bandwidth between each scrubbing centre to deliver clean traffic.

Blocking it at your upstream transit provider may be too late for significant attacks as any service provider between 
you and the source could black hole the traffic before it gets to your peers. This results in legitimate traffic not 
being able to reach your network.

Paras is correct, attacks could be on any port and often multivector and change within an attack campaign if attackers 
see one vector is not effective. So each attack really needs to be dealt with dynamically to ensure there are no false 
positives (something is blocked when it shouldn't be)

Unfortunately it is very simple to intimate a Ddos attack, but the cost of mitigation is very high. So the solution you 
choose really depends on the monetary cost of the outages, clients you have and whether the cost can be amortised over 
your client base.

I have seen service providers offer premium hosting services which have Ddos mitigation, using separate infrastructure 
and links to their normal customers. This reduces the cost of mitigation while also containing the risks and the 
collateral damage.

There are also different Ddos mitigation solutions depending on the service protocols your are offering. Ie web traffic 
could be mitigated with cdn vs all protocols and ports with BGP via a scrubbing centre.

Sent from my iPhone
James Tin
Enterprise Security Architect APJ
Join the Conversation.
Log on to Akamai Community.     [http://www.akamai.com/images/img/community-icon-large.png] 
<https://community.akamai.com/>

[http://www.akamai.com/images/img/bg/akamai-logo.png]<http://www.akamai.com/>

Office: +<tel:+1.617.444.1234>61 9008 4906
Cell: +<tel:+1.617.444.1234>61 466 961 555
        Akamai Technologies
Level 7, 76 Berry St
North Sydney, NSW 2071

Connect with Us:        [http://www.akamai.com/images/img/akamai-community-icon.jpg] <https://community.akamai.com/>  
[http://www.akamai.com/graphics/misc/rs_icon_small.png] <http://blogs.akamai.com/>  
[http://www.akamai.com/graphics/misc/tw_icon_small.png] <https://twitter.com/akamai>  
[http://www.akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/AkamaiTechnologies>  
[http://www.akamai.com/graphics/misc/in_icon_small.png] <http://www.linkedin.com/company/akamai-technologies>  
[http://www.akamai.com/graphics/misc/yt_icon_small.png] 
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>




On 5 Nov 2015, at 05:13, Paras <paras () protrafsolutions com<mailto:paras () protrafsolutions com>> wrote:

Hey,

Just blocking port 19 won't cut it, as we often see Chargen attacks that run on nonstandard ports as well

Thanks,
Paras

On 11/4/2015 12:33 PM, Mario Eirea wrote:
Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to expect as far as ballpark pricing from 
my ISP. Some background, we are getting hit with a chargen attack that comes and goes and is saturating our 500mb 
connection. Tried hitting up the ISP for UDP block on 19 but they want us to go through our rep, in the process making 
this go on longer that is necessary. Any feedback would be appreciated.

Thanks,

-ME