[120786] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Jeffrey Lyon)
Mon Jan 4 17:07:45 2010
In-Reply-To: <d066472f1001041359l70341b15h6cde592dc1046eb4@mail.gmail.com>
Date: Mon, 4 Jan 2010 17:03:27 -0500
From: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
To: Rick Ernst <nanog@shreddedmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Ask them if they'd come down to $10 - 20k for a full featured model
and they might make two sales, although I doubt it unfortunately.
Best regards, Jeff
On Mon, Jan 4, 2010 at 4:59 PM, Rick Ernst <nanog@shreddedmail.com> wrote:
> Several responses already, and Arbor has poked their head up.
>
> I'm going to start there and keep the other suggestions at-hand.
>
> Thanks,
>
>
> On Mon, Jan 4, 2010 at 1:19 PM, Rick Ernst <nanog@shreddedmail.com> wrote=
:
>
>>
>> Looking for D/DoS mitigation solutions. =A0I've seen Arbor Networks ment=
ioned
>> several times but they haven't been responsive to literature requests (h=
int,
>> if anybody from Arbor is looking...). =A0Our current upstream is 3x GigE=
from
>> 3 different providers, each landing on their own BGP endpoint feeding a
>> route-reflector core.
>>
>> I see two possible solutions:
>> - Netflow/sFlow/***Flow =A0feeding a BGP RTBH
>> - Inline device
>>
>> Netflow can lag a bit in detection. =A0I'd be concerned that inline devi=
ces
>> add an additional point of failure. =A0I'm worried about both failing-op=
en
>> (e.g. network outage) and false-positives.
>>
>> My current system is a home-grown NetFlow parser that spits out syslog t=
o
>> our NOC to investigate potential attacks and manually enter them into ou=
r
>> RTBH.
>>
>>
>> Any suggestions other than Arbor? =A0Any other mechanisms being used? =
=A0My
>> idea is to quash the immediate problem and work additional mitigation wi=
th
>> upstreams if needed.
>>
>> I could probably add some automation to my NetFlow/RTBH setup, but I sti=
ll
>> need to worry about false-positives. I'd rather somebody else do the har=
d
>> work of finding the various edge-cases.
>>
>> Thanks,
>> Rick
>>
>>
>
--=20
Jeffrey Lyon, Leadership Team
jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.
Follow us on Twitter at http://twitter.com/ddosprotection to find out
about news, promotions, and (gasp!) system outages which are updated
in real time.
Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."
