[82783] in North American Network Operators' Group
Re: Provider-based DDoS Protection Services
daemon@ATHENA.MIT.EDU (Fergie (Paul Ferguson))
Thu Jul 28 22:36:39 2005
From: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Date: Fri, 29 Jul 2005 02:34:49 GMT
To: jneiberger@gmail.com
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
John,
Contrary to popular belief, I (not alone, of course) run,
manage, defend, and continually architect very large
networks. Very large. On none of them do we outsource
the protection of them -- because, in cases where we
have extended trust in the past, we have been screwed
(PC translation: disappointed).
So we protect ourselves.
It's been a business decision for my customers' networks
(ie. their network) not to outsource security, or rely on
an upstreampipedream, for protection of any sort.
Thus, I personally can't provide any insight here. Sorry.
- ferg
-- John Neiberger <jneiberger@gmail.com> wrote:
In this case it's a business decision. I understand that we could
simply weigh the costs of an attack with the costs of preemptively
detecting and mitigating an attack, but in our case we won't lose hard
dollars like an ecommerce site would. We have different reasons for
wanting to have some protection in place before we need it. I look at
it like it's an insurance policy, but I don't want to be ripped off.
It's like I'm getting estimates on building a protective dike around
my house. One contractor tells me that the floodwaters commonly reach
six feet so I should pay him $12,000 to build a wall at least that
high. Another contractor is telling me that he'll build a six-foot
wall for $6,000. Another contractor is telling me that the floodwaters
most likely won't go over two feet and he suggests that I pay him
$1,000 for a three-foot-high wall.
If it turns out that we really do need a six-foot-high wall then so be
it. I'm not the one who pays the bills so it isn't really my decision.
I just want to make sure I have a clearer picture of reality before I
make any suggestions to my boss.
Thanks again,
John
On 7/28/05, Fergie (Paul Ferguson) <fergdawg@netzero.net> wrote:
> I should've asked the most important question first -- is this
> a technical decision, or a business decision? I mean, forgive me
> for pointing out the obvious, but you made an issue of cost in your
> original post...
>
> - ferg
>
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg@netzero.net or fergdawg@sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
