[c-nsp] Modern BGP peering border router and DDoS attack defense
recommendations?
Jon Lewis
jlewis at lewis.org
Thu Jun 9 12:43:38 EDT 2005
On Wed, 8 Jun 2005, Sam Crooks wrote:
> What is the minimum router these days to peer with other AS's?
>
> 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
>
> As far as BGP peering, options being discussed with SPs are partial routes
> (with or without default route) and full routes (with and without default
> route). Current access speed to the Internet is 2xT1 at 2 locations, in an
> active-standby setup, static routes to the SPs, (no BGP, currently).
For full routes and just a few T1's, pretty much any router cisco makes
that takes >=256mb should be acceptable. So it comes down to how much
room for growth do you want to pay for now?
> Initial bandwidth needs would be similar, however, this will scale
> significantly (sales-driven), not to mention DDoS protection.
DDoS protection on T1s? Your T1s will be flooded by even a trivial DDoS.
Whether your router can deal with the PPS doesn't really matter if your SP
has several hundred mbit/s of traffic to stuff into your T1 (dropping the
vast majority of the packets).
> The org is a ripe target for a DDoS attack, given the business (financial
> transaction processing). For example, here is a recent development in the
> industry: http://www.eweek.com/article2/0,1759,1662704,00.asp
It may make more sense to colo the publicly visible portions of their site
someplace with fat pipes that can absorb a DDoS, and use private
connectivity between the public and backend systems.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list