[121864] in North American Network Operators' Group
Re: DDoS mitigation recommendations
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Fri Jan 29 00:01:47 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Fri, 29 Jan 2010 05:01:19 +0000
In-Reply-To: <1264732760-sup-399@sfo.thejof.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 29, 2010, at 10:04 AM, Jonathan Lassoff wrote:
> Something utilizing sflow/netflow and flowspec to block or direct traffic=
into a scrubbing box gets you much better bang for your buck past a certai=
n scale.
This is absolutely key for packet-flooding types of attacks, and other atta=
cks in which unadulterated pathological traffic can be detected/classified =
in detail, with minimal collateral damage. Everyone should implement S/RTB=
H and/or flow-spec whenever possible, this cannot be emphasized enough. Op=
erators have made significant investments in high-speed, ASIC-powered route=
rs at their edges; there's no reason not to utilize that horsepower, as it'=
s already there and paid for.
For situations in which valid and invalid traffic are highly intermixed, an=
d/or layer-4/-7 heuristics are key in validating legitimate traffic and in=
validating undesirable traffic, the additional capabilities of an IDMS whic=
h can perform such discrimination can be of benefit. As mentioned in a pre=
vious thread, it's possible to construct a base-level capability using open=
-source software, and commercial solutions from various vendors [full discl=
osure: I'm employed one of said vendors] are available, as well.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
