[120781] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Jeffrey Lyon)
Mon Jan 4 16:25:46 2010
In-Reply-To: <d066472f1001041319r302b272dw2fdc6d8b18ce8658@mail.gmail.com>
Date: Mon, 4 Jan 2010 16:25:12 -0500
From: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
To: Rick Ernst <nanog@shreddedmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We have substantial direct experience with both RioRey and IntruGuard.
RR is more plug and play while IG is more robust but both are great.
Use a robust firewall such as a Netscreen in front of your mitigation
tool.
Best regards, Jeff
On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog@shreddedmail.com> wrote:
> Looking for D/DoS mitigation solutions. =A0I've seen Arbor Networks menti=
oned
> several times but they haven't been responsive to literature requests (hi=
nt,
> if anybody from Arbor is looking...). =A0Our current upstream is 3x GigE =
from
> 3 different providers, each landing on their own BGP endpoint feeding a
> route-reflector core.
>
> I see two possible solutions:
> - Netflow/sFlow/***Flow =A0feeding a BGP RTBH
> - Inline device
>
> Netflow can lag a bit in detection. =A0I'd be concerned that inline devic=
es
> add an additional point of failure. =A0I'm worried about both failing-ope=
n
> (e.g. network outage) and false-positives.
>
> My current system is a home-grown NetFlow parser that spits out syslog to
> our NOC to investigate potential attacks and manually enter them into our
> RTBH.
>
>
> Any suggestions other than Arbor? =A0Any other mechanisms being used? =A0=
My idea
> is to quash the immediate problem and work additional mitigation with
> upstreams if needed.
>
> I could probably add some automation to my NetFlow/RTBH setup, but I stil=
l
> need to worry about false-positives. I'd rather somebody else do the hard
> work of finding the various edge-cases.
>
> Thanks,
> Rick
>
--=20
Jeffrey Lyon, Leadership Team
jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.
Follow us on Twitter at http://twitter.com/ddosprotection to find out
about news, promotions, and (gasp!) system outages which are updated
in real time.
Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."
