[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

Sam Crooks sam.a.crooks at gmail.com
Thu Jun 9 14:53:03 EDT 2005 

I understand the issues with access port speed.  The app needs maybe 2
T1.. I am trying to get a feel for the minimum access port speed to
not fall over from a trivial DDoS attack (so I can make the business
case to those who write the checks) and will otherwise balk at MRC of
$20K/month (or more) for access, when $1k was fine for the past 5
years and $60K for each border router when a $0k router (single SP
managed router) does the job (from their quick perusal of the
datasheet)... thus trying to get a feel for acceptable minimums for
the border router.

I am all in favor of colo (colo'd in one location currently, with
standby at corp campus), however, I don't write the checks.... my
preference is colo the standby site as well to resolve serious power
and connectivity access issues at the campus, pay the software fees to
make the application backend active-active, load balance the
application traffic across both, provisioning a 3rd location in
another region once it comes time for that (both locations active and
standby are currently in the same metro area... nice for easy
interconnectivity... bad bad bad (imho) for regional power, disaster
and telecom issues... but again.... it is a money issue..... the
better the resiliency, the more it costs....

I am having a hard time nailing down a project budget, since it is a
new business market being entered, the company it fully privately
owned, and the margins are extremely high for the overhead... and
they've been doing it for years...

My plan is to present 3 solutions... bare minimum (and pick it apart),
medium (caveats for scaling timeframe based on unknown sales and
growth), and large (no scaling needed in equipment department for say,
2 years minimum, with caveat that that estimate is based on sales of
xyz... exceeding these sales would mean being able to pay for
infrastructure and bandwidth upgrades 4000 times over.

Sam

On 6/9/05, Jon Lewis <jlewis at lewis.org> wrote:
> On Wed, 8 Jun 2005, Sam Crooks wrote:
> 
> > What is the minimum router these days to peer with other AS's?
> >
> > 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
> >
> > As far as BGP peering, options being discussed with SPs are partial routes
> > (with or without default route) and full routes (with and without default
> > route).  Current access speed to the Internet is 2xT1 at 2 locations, in an
> > active-standby setup, static routes to the SPs, (no BGP, currently).
> 
> For full routes and just a few T1's, pretty much any router cisco makes
> that takes >=256mb should be acceptable.  So it comes down to how much
> room for growth do you want to pay for now?
> 
> > Initial bandwidth needs would be similar, however, this will scale
> > significantly (sales-driven), not to mention DDoS protection.
> 
> DDoS protection on T1s?  Your T1s will be flooded by even a trivial DDoS.
> Whether your router can deal with the PPS doesn't really matter if your SP
> has several hundred mbit/s of traffic to stuff into your T1 (dropping the
> vast majority of the packets).
> 
> > The org is a ripe target for a DDoS attack, given the business (financial
> > transaction processing).  For example, here is a recent development in the
> > industry:  http://www.eweek.com/article2/0,1759,1662704,00.asp
> 
> It may make more sense to colo the publicly visible portions of their site
> someplace with fat pipes that can absorb a DDoS, and use private
> connectivity between the public and backend systems.
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>

More information about the cisco-nsp mailing list