[c-nsp] Modern BGP peering border router and DDoS attack
defenserecommendations?
james edwards
hackerwacker at cybermesa.com
Thu Jun 9 18:00:05 EDT 2005
> On (09/06/05 11:53), Sam Crooks wrote:
> >
> > I understand the issues with access port speed. The app needs maybe 2
> > T1.. I am trying to get a feel for the minimum access port speed to
> > not fall over from a trivial DDoS attack
>
> a few owned hosts connected to cable/dsl can kill a t1 or two. if
> someone wants to take you down, short of having an oc192/10gig uplink,
> they will probably succede - in the past week some friends have seen
> several ddos attacks of 1-4Gbps...point being, it is really really hard
> to get a connection big enough to stand up. knowing how to get in touch
> with your isp and having a clueful provider who can help you mitigate it
> are more effective, and a lot less expensive.
I think money and time is better spent on systems and procedures to quickly
identify
a DoS/DDoS and it characteristics than provisioning excess bandwidth to
carry you through an
attack. With specific information a good upstream provider can mitigate a
DoS/DDoS; I would not expect
an upstream provider to do this research. At the very least you will get a
much quicker response if you can ask
for specific ports or IP's to be null routed or rate limited.
Based on past experiences with upstream providers with Cisco based networks,
we no longer buy transit from
these providers as (again based on past experience) their attempts to
mitigate attacks render their networks or our
connection worse off than the attack itself. Providers with significant
OC-x connectivity and Juniper routers that allow
us to advertise customer activated null routes get our money.
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh at cybermesa.com noc at cybermesa.com
http://www.cybermesa.com/ContactCM
(505) 795-7101
More information about the cisco-nsp
mailing list