[120851] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: D/DoS mitigation hardware/software needed.

daemon@ATHENA.MIT.EDU (Martin Hannigan)
Tue Jan 5 10:51:37 2010

In-Reply-To: <d066472f1001041319r302b272dw2fdc6d8b18ce8658@mail.gmail.com>
Date: Tue, 5 Jan 2010 10:50:56 -0500
From: Martin Hannigan <martin@theicelandguy.com>
To: Rick Ernst <nanog@shreddedmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <nanog@shreddedmail.com> wrote:

> Looking for D/DoS mitigation solutions.  I've seen Arbor Networks mentioned
> several times but they haven't been responsive to literature requests
> (hint,
> if anybody from Arbor is looking...).  Our current upstream is 3x GigE from
> 3 different providers, each landing on their own BGP endpoint feeding a
> route-reflector core.
>
> I see two possible solutions:
> - Netflow/sFlow/***Flow  feeding a BGP RTBH
> - Inline device
>
>

     - Outsource to service provider


Netflow can lag a bit in detection.  I'd be concerned that inline devices
> add an additional point of failure.  I'm worried about both failing-open
> (e.g. network outage) and false-positives.
>

How often are you getting DDoS'd?

The financials of using a managed service provider vs.
buy-all-your-own-grrovy-stuff can be fairly compelling especially if the
amount of DDoS you experience is almost nil.

Re: Arbor. I don't have any recent experience, but they've been around for a
long time, have a very experienced team that understands ISP and enterprise
and the product is mature. Hard to go wrong if you can justify the costs.
YMMV.

Best,

-M<


-- 
Martin Hannigan                               martin@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

home help back first fref pref prev next nref lref last post