[120805] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Jan 4 22:35:27 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 03:31:40 +0000
In-Reply-To: <bb0e440a1001041918k1fb69f46oba2922ad90aafd2c@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 10:18 AM, Suresh Ramasubramanian wrote:
> 5 Ditch the stateful firewall and exclusively use a netflow device
NetFlow analysis is very useful for network visibility, and detection/class=
ification/traceback. There are both open-source and commercial NetFlow col=
lection and analysis systems available (full disclosure: I work for a vend=
or of both NetFlow analysis and DDoS mitigation solutions); however, they d=
on't provide mitigation, which is where S/RTBH, flow-spec, and/or IDMS come=
into play.
PCI DSS iatrogenically *requires* that a 'Web application firewall' be plac=
ed in front of Web servers which process credit card information (PCI DSS c=
ompletely ignores availability, and contains a number of recommendations wh=
ich are actually harmful from an opsec standpoint). Running mod_security o=
r its equivalent on the front-end Web servers themselves fulfills this requ=
irement without putting a stateful DDoS chokepoint in front of the servers.
It's also a really good idea to front Web servers with a tier of caching-on=
ly transparent reverse proxies; Squid is a good choice for this, as well as=
various commercial offerings. WCCPv2 clustering (supported by Squid and s=
everal commercial caching/proxying solutions) allows this tier to be scaled=
horizontally in order to meet capacity demands.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
