[c-nsp] Modern BGP peering border router and DDoS attack
defense recommendations?
Bill Wichers
billw at waveform.net
Thu Jun 9 21:33:45 EDT 2005
> a few owned hosts connected to cable/dsl can kill a t1 or two. if
someone wants to take you down, short of having an oc192/10gig uplink,
they will probably succede - in the past week some friends have seen
several ddos attacks of 1-4Gbps...point being, it is really really hard
to get a connection big enough to stand up. knowing how to get in
touch with your isp and having a clueful provider who can help you
mitigate it are more effective, and a lot less expensive.
I think in most DDoS attacks a DS3 has a reasonable chance of holding up.
It really depends on the type of attack, and how it affects the hardware
you're using to hold up the link. I've seen smallish DDoS attacks (by bit
rate) wipe out circuits that large attacks didn't touch due to different
techniques used by the attackers. For-sure a T1 can be easily wiped out
though no matter what. If two DS3s were used, I think most attacks could
be handled, with only the largest being a real problem. And, IMHO, playing
with BGP keepalives and process scheduling can help a lot -- our biggest
problem is when a DDoS causes a BGP session to drop, and the resulting
problems caused by damping, so keeping the sessions up goes a long way to
keeping the network running.
Best would be at least a pair of DS3s and a router than can do hardware
switching of packets, but that's pricey for both the up-front costs
(12008+ router), and the MRCs of the DS3 circuits. With redundant circuits
from 2+ providers, and decent BGP traffic balance, you will probably split
the DDoS traffic between the two links improving your ability to survive
by increasing your effective available capacity (assuming the DDoS is well
distributed).
> than those t1s (if there is an IX fairly close); or, see if cogent
could bring in a circuit - they are still selling well below costs, and
it would give you more bandwidth. no reason to pay >$200Mb...
They're not really selling below cost. People bash them too much. Look
deeper. They also can do Ethernet transport, so they might be cheap to get
to some other service provider if you don't want to use them for IP
transport. Not too many buildings are on-net for them though, and using a
type-II circuit negates a lot of the cost savings.
-Bill
*****************************
Waveform Technology
UNIX Systems Administrator
*****************************
Waveform Technology
UNIX Systems Administrator
More information about the cisco-nsp
mailing list