[177339] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Max Clark)
Mon Jan 12 18:29:54 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <98868920-8D0C-4613-B047-4BA321DEEC18@fastreturn.net>
Date: Mon, 12 Jan 2015 15:29:45 -0800
From: Max Clark <max.clark@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Ditto - we've been seeing average attack size pushing the 40-50 Gbps mark.
The "serious" attacks are much, much larger.
On Sat, Jan 10, 2015 at 8:50 PM, Ammar Zuberi <ammar@fastreturn.net> wrote:
> I'd beg to differ on this one. The average attacks we're seeing are doubl=
e
> that, around the 30-40g mark. Since NTP and SSDP amplification began, we'=
ve
> been seeing all kinds of large attacks.
>
> Obviously, these can easily be blocked upstream to your network. Hibernia
> Networks blocks them for us.
>
> Ammar
>
> > On 11 Jan 2015, at 8:37 am, Paul S. <contact@winterei.se> wrote:
> >
> > While it indeed is true that attacks up to 600 gbit/s (If OVH and
> CloudFlare's data is to be believed) have been known to happen in the wil=
d,
> it's very unlikely that you need to mitigate anything close.
> >
> > The average attack is usually around the 10g mark (That too barely) --
> so even solutions that service up to 20g work alright.
> >
> > Obviously, concerns are different if you're an enterprise that's a DDoS
> magnet -- but for general service providers selling 'protected services,'
> food for thought.
> >
> >> On 1/11/2015 =E5=8D=88=E5=BE=8C 12:48, Damian Menscher wrote:
> >>> On Thu, Jan 8, 2015 at 9:01 AM, Manuel Mar=C3=ADn <mmg@transtelco.net=
>
> wrote:
> >>>
> >>> I was wondering what are are using for DDOS protection in your
> networks. We
> >>> are currently evaluating different options (Arbor, Radware, NSFocus,
> >>> RioRey) and I would like to know if someone is using the cloud based
> >>> solutions/scrubbing centers like Imperva, Prolexic, etc and what are
> the
> >>> advantages/disadvantages of using a cloud base vs an on-premise
> solution.
> >>> It would be great if you can share your experience on this matter.
> >> On-premise solutions are limited by your own bandwidth. Attacks have
> been
> >> publicly reported at 400Gbps, and are rumored to be even larger. If y=
ou
> >> don't have that much network to spare, then packet loss will occur
> upstream
> >> of your mitigation. Having a good relationship with your network
> >> provider(s) can help here, of course.
> >>
> >> If you go with a cloud-based solution, be wary of their SLA. I've see=
n
> >> some claim 100% uptime (not believable) but of course no refund/credit=
s
> for
> >> downtime. Another provider only provides 20Gbps protection, then will
> >> null-route the victim.
> >>
> >>> On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble <charles@thefnf.org>
> wrote:
> >>>
> >>> Also how are folks testing ddos protection? What lab gear,tools,metho=
ds
> >>> are you using to determine effectiveness of the mitigation.
> >>
> >> Live-fire is the cheapest approach (just requires some creative
> trolling)
> >> but if you want to control the "off" button, cloud VMs can be tailored
> to
> >> your needs. There are also legitimate companies that do network stres=
s
> >> testing.
> >>
> >> Keep in mind that you need to test against a variety of attacks, again=
st
> >> all components in the critical path. Attackers aren't particularly
> >> methodical, but will still randomly discover any weaknesses you've
> >> overlooked.
> >>
> >> Damian
> >
>
