[119079] in North American Network Operators' Group
Re: Pros and Cons of Cloud Computing in dealing with DDoS
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Thu Nov 5 22:29:57 2009
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <003801ca5e7a$9b5c9f00$d215dd00$@com>
Date: Fri, 6 Nov 2009 10:29:15 +0700
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 6, 2009, at 7:46 AM, Stefan Fouant wrote:
> So if I'm hearing you correctly, you're saying that no matter how
> much infrastructure you have to potentially absorb the problem,
> there is nothing you can do because the bad guys are always going to
> have more bandwidth at
> their disposal.
What I'm saying is that one can't simply rely on bandwidth capacity/
connection capacity/tps scaling/etc. on their own to always 'eat' the
problem traffic; rather that there's a full spectrum of things one
must do in order to be able to maintain availability in the face of
attack, starting with fundamental architecture at layer-7 and moving
down the model, taking special care to try and avoid design choices
which lead to blocking behaviors and/or open up amplification vectors
(some of these simply can't be avoided due to protocol semantics, of
course).
I'm also saying that threats to availability aren't something one can
always assume one will be able to handle alone; engaging with the
larger opsec community is key.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sorry, sometimes I mistake your existential crises for technical
insights.
-- xkcd #625
