[141068] in North American Network Operators' Group
RE: Verisign Internet Defence Network
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Wed Jun 1 12:54:37 2011
From: "Stefan Fouant" <sfouant@shortestpathfirst.net>
To: "'Seth Mattinen'" <sethm@rollernet.us>,
<nanog@nanog.org>
In-Reply-To: <4DE5DFB4.20708@rollernet.us>
Date: Wed, 1 Jun 2011 12:53:51 -0400
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Seth Mattinen [mailto:sethm@rollernet.us]
> Sent: Wednesday, June 01, 2011 2:44 AM
> To: nanog@nanog.org
> Subject: Re: Verisign Internet Defence Network
>=20
> Sounds like a catch-22 though; if it's not always on and only starts
> scrubbing after an attack begins (pending activation approval from the
> customer which may take time), then the customer site is quite =
possibly
> already down when they start doing their thing to make it come back =
up.
Well that's exactly how it works in most cases. Customers don't usually =
avail of these types of services until there is a problem, which usually =
means their site is down in most cases. This is why having proper =
visibility is key as they can serve as an early warning system giving =
indication of an impending attack prior to it becoming big enough to =
bring the site down (usually it takes several minutes to ramp up the =
attack during the time the bots receive instruction-set from the bot =
herder).
The problem with an always-on mitigation service is that there are =
additional latencies involved in the redirection (assuming it's not =
in-line), not to mention the inspections/proxying/filtering that the =
mitigation devices perform. Note that these latencies will be =
substantially less on an on-net service offering like Verizon's whereas =
they can be substantially higher on an off-net service offering from =
folks like Verisign/Prolexic, etc. These latencies are generally =
acceptable when a site is under attack, but not desired under normal =
circumstances.
Stefan Fouant
JNCIE-M #513, JNCIE-ER #70, JNCI
GPG Key ID: 0xB4C956EC
