[120804] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Mon Jan 4 22:22:08 2010
In-Reply-To: <bb0e440a1001041913w189c3824hd271c111724a9772@mail.gmail.com>
Date: Tue, 5 Jan 2010 08:48:51 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Two more options. And for Netflow device - read that to mean Arbor or
its competitors.
5 Ditch the stateful firewall and exclusively use a netflow device
6. Outsource to a hosted DDoS mitigation service (Prolexic etc)
On Tue, Jan 5, 2010 at 8:43 AM, Suresh Ramasubramanian
<ops.lists@gmail.com> wrote:
> Do you -
>
> 1. Have (say) two firewalls in HA config?
>
> 2. Back your firewall with routing based measures, S/RTBH, blackhole
> communities your upstream offers, etc [the standard nspsec bootcamp
> stuff]
>
> 3. Simply back the firewall with a netflow based device?
>
> 4. Estimate that the risk of a DDoS that exceeds your firewall's rated
> capacity is extremely low? =C2=A0[and yes, 150k ++ connections per second
> ddos is going to be massive, and relatively rare for most people]
