[177248] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Sathya Varadharajan)
Sun Jan 11 00:19:33 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CABSP1OdJ+nkfDtwJdcnffjvdhpLsuJy=PkpHQ6tQxp8rKHO==A@mail.gmail.com>
Date: Sat, 10 Jan 2015 23:32:54 -0500
From: Sathya Varadharajan <sathya.varadharajan@gmail.com>
To: Damian Menscher <damian@google.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This gives some comparison of cloud based Ddos mitigation providers.
https://www.ombud.com/product/compare/prolexic-ddos-protection
On Jan 10, 2015 10:50 PM, "Damian Menscher" <damian@google.com> wrote:
> On Thu, Jan 8, 2015 at 9:01 AM, Manuel Mar=C3=ADn <mmg@transtelco.net> wr=
ote:
>
> > I was wondering what are are using for DDOS protection in your networks=
.
> We
> > are currently evaluating different options (Arbor, Radware, NSFocus,
> > RioRey) and I would like to know if someone is using the cloud based
> > solutions/scrubbing centers like Imperva, Prolexic, etc and what are th=
e
> > advantages/disadvantages of using a cloud base vs an on-premise solutio=
n.
> > It would be great if you can share your experience on this matter.
> >
>
> On-premise solutions are limited by your own bandwidth. Attacks have bee=
n
> publicly reported at 400Gbps, and are rumored to be even larger. If you
> don't have that much network to spare, then packet loss will occur upstre=
am
> of your mitigation. Having a good relationship with your network
> provider(s) can help here, of course.
>
> If you go with a cloud-based solution, be wary of their SLA. I've seen
> some claim 100% uptime (not believable) but of course no refund/credits f=
or
> downtime. Another provider only provides 20Gbps protection, then will
> null-route the victim.
>
> On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble <charles@thefnf.org>
> wrote:
>
> > Also how are folks testing ddos protection? What lab gear,tools,methods
> > are you using to determine effectiveness of the mitigation.
>
>
> Live-fire is the cheapest approach (just requires some creative trolling)
> but if you want to control the "off" button, cloud VMs can be tailored to
> your needs. There are also legitimate companies that do network stress
> testing.
>
> Keep in mind that you need to test against a variety of attacks, against
> all components in the critical path. Attackers aren't particularly
> methodical, but will still randomly discover any weaknesses you've
> overlooked.
>
> Damian
>
