[120810] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Mon Jan 4 23:13:52 2010
In-Reply-To: <16720fe01001042005i23f0360en6bd5740f6b90beec@mail.gmail.com>
Date: Tue, 5 Jan 2010 09:43:06 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
With these safeguards in place - and with flow devices being part of
the mix somewhere .. what you propose is quite reasonable.
There's still the question of whether an application that receives a
lot of new / untrusted traffic - a mail or web server - would benefit
from having a stateful firewall in front .. Roland seems to think not.
--srs
On Tue, Jan 5, 2010 at 9:35 AM, Jeffrey Lyon
<jeffrey.lyon@blacklotus.net> wrote:
> 1. We have multiple nodes conducting DDoS scrubbing, one failing would no=
t
> be catastrophic.
>
> 2.=C2=A0 Indeed.
>
> 3.=C2=A0 Sort of, such devices are downstream for extremely valid reasons=
I won't
> get into now.
>
> 4. Indeed, were equipped to handle substantially higher than 150kpps.
>
> I'm sure Arbor is really neat but I disagree that any DDoS appliance is a
> standalone solution. I don't expect an employee of the vendor themselves =
to
> attest to this though.
--=20
Suresh Ramasubramanian (ops.lists@gmail.com)
