[135286] in North American Network Operators' Group
Re: Securing Border Routers
daemon@ATHENA.MIT.EDU (Ryan Shea)
Wed Jan 19 20:12:14 2011
In-Reply-To: <BLU158-w13F6A3CA3CEC3895852E48DCF90@phx.gbl>
Date: Wed, 19 Jan 2011 20:11:08 -0500
From: Ryan Shea <ryanshea@google.com>
To: Brandon Kim <brandon.kim@brandontek.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
A stateful firewall outside of your router may create a new bottleneck which
increases your risk of DoS. Making sure that you know (and document, and
test) how to effectively contact your service providers should you be
attacked would be a good idea. Find out if your service providers have BGP
communities for remote triggered black hole (document and test). A denial of
service will break the weakest link in the chain toward your services, so
make sure you have appropriate bandwidth, a reasonable server architecture,
and if you have money to burn consider a DDoS mitigation service.
-Ryan
On Wed, Jan 19, 2011 at 7:35 PM, Brandon Kim <brandon.kim@brandontek.com>wrote:
>
> Gents:
>
> What measures do you take to protect your border routers? Our routers are
> running BGP so I'm interested
> if there is any way to secure them without interfering with BGP? Is it
> normal to put a firewall in front of the
> border routers?
>
> I'm concerned about DDOS attacks mainly....although we haven't had any, I
> don't welcome them.....
>
> Brandon
>
>
>
>
>
