[185652] in North American Network Operators' Group
Re: DDoS Mitigation
daemon@ATHENA.MIT.EDU (Tin, James)
Wed Nov 4 18:17:59 2015
X-Original-To: nanog@nanog.org
From: "Tin, James" <jtin@akamai.com>
To: Paras <paras@protrafsolutions.com>
Date: Wed, 4 Nov 2015 22:12:43 +0000
In-Reply-To: <563A4A2C.8040700@protrafsolutions.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This is my first post to Nanog. So please don't flame me down ;)
Hi Mario.
Typically the cost of Ddos mitigation is charged on the amount of clean tra=
ffic inbound to your network, the number of protected /24 ranges you need p=
rotected and the number of datacentres you want to protect.
Ideally the Ddos mitigation solution should block attacks as close as possi=
ble to the source of the attack. One good way of doing this is by leveragin=
g anycast from multiple scrubbing centres and ensure there is enough backbo=
ne bandwidth between each scrubbing centre to deliver clean traffic.
Blocking it at your upstream transit provider may be too late for significa=
nt attacks as any service provider between you and the source could black h=
ole the traffic before it gets to your peers. This results in legitimate tr=
affic not being able to reach your network.
Paras is correct, attacks could be on any port and often multivector and ch=
ange within an attack campaign if attackers see one vector is not effective=
. So each attack really needs to be dealt with dynamically to ensure there =
are no false positives (something is blocked when it shouldn't be)
Unfortunately it is very simple to intimate a Ddos attack, but the cost of =
mitigation is very high. So the solution you choose really depends on the m=
onetary cost of the outages, clients you have and whether the cost can be a=
mortised over your client base.
I have seen service providers offer premium hosting services which have Ddo=
s mitigation, using separate infrastructure and links to their normal custo=
mers. This reduces the cost of mitigation while also containing the risks a=
nd the collateral damage.
There are also different Ddos mitigation solutions depending on the service=
protocols your are offering. Ie web traffic could be mitigated with cdn vs=
all protocols and ports with BGP via a scrubbing centre.
Sent from my iPhone
James Tin
Enterprise Security Architect APJ
Join the Conversation.
Log on to Akamai Community. [http://www.akamai.com/images/img/community=
-icon-large.png] <https://community.akamai.com/>
[http://www.akamai.com/images/img/bg/akamai-logo.png]<http://www.akamai.com=
/>
Office: +<tel:+1.617.444.1234>61 9008 4906
Cell: +<tel:+1.617.444.1234>61 466 961 555
Akamai Technologies
Level 7, 76 Berry St
North Sydney, NSW 2071
Connect with Us: [http://www.akamai.com/images/img/akamai-community-=
icon.jpg] <https://community.akamai.com/> [http://www.akamai.com/graphics/=
misc/rs_icon_small.png] <http://blogs.akamai.com/> [http://www.akamai.com/=
graphics/misc/tw_icon_small.png] <https://twitter.com/akamai> [http://www.=
akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/Akamai=
Technologies> [http://www.akamai.com/graphics/misc/in_icon_small.png] <htt=
p://www.linkedin.com/company/akamai-technologies> [http://www.akamai.com/g=
raphics/misc/yt_icon_small.png] <http://www.youtube.com/user/akamaitechnolo=
gies?feature=3Dresults_main>
On 5 Nov 2015, at 05:13, Paras <paras@protrafsolutions.com<mailto:paras@pro=
trafsolutions.com>> wrote:
Hey,
Just blocking port 19 won't cut it, as we often see Chargen attacks that ru=
n on nonstandard ports as well
Thanks,
Paras
On 11/4/2015 12:33 PM, Mario Eirea wrote:
Hello everyone,
Looking to find out how the pricing model works for DDoS mitigation and wha=
t to expect as far as ballpark pricing from my ISP. Some background, we are=
getting hit with a chargen attack that comes and goes and is saturating ou=
r 500mb connection. Tried hitting up the ISP for UDP block on 19 but they w=
ant us to go through our rep, in the process making this go on longer that =
is necessary. Any feedback would be appreciated.
Thanks,
-ME
