[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

Sam Crooks sam.a.crooks at gmail.com
Thu Jun 9 21:57:30 EDT 2005


What are opinions of say, 2xN Mbps rate-limited ethernet connections
(1 per border router, 2 routers, through different physical paths),
starting out at 10Mbps, burstable up to 100Mbps... in a
carrier-neutral building with 42 carriers?

I'm evaluating http://www.dpte.net, and they offer a bundle of the
above connectivity to the 42 carriers (they call it blending?), along
with a 10x10 ft cage ... it would seem to make data connections to a
standby site (t1-OC-x, whatever I need to scale up to) very easy to
get, and get very quickly.

How does BGP peering work in such an environment, for an end-user AS?


Sorry if my questions seem like asking "how is 'the' spelled", but I
am new to being a SP customer as an AS.




On 6/9/05, Bill Wichers <billw at waveform.net> wrote:
> 
> >  a few owned hosts connected to cable/dsl can kill a t1 or two.  if
> someone wants to take you down, short of having an oc192/10gig uplink,
> they will probably succede - in the past week some friends have seen
> several ddos attacks of 1-4Gbps...point being, it is really really hard
> to get a connection big enough to stand up.  knowing how to get in
> touch with your isp and having a clueful provider who can help you
> mitigate it are more effective, and a lot less expensive.
> 
> I think in most DDoS attacks a DS3 has a reasonable chance of holding up.
> It really depends on the type of attack, and how it affects the hardware
> you're using to hold up the link. I've seen smallish DDoS attacks (by bit
> rate) wipe out circuits that large attacks didn't touch due to different
> techniques used by the attackers. For-sure a T1 can be easily wiped out
> though no matter what. If two DS3s were used, I think most attacks could
> be handled, with only the largest being a real problem. And, IMHO, playing
> with BGP keepalives and process scheduling can help a lot -- our biggest
> problem is when a DDoS causes a BGP session to drop, and the resulting
> problems caused by damping, so keeping the sessions up goes a long way to
> keeping the network running.
> 
> Best would be at least a pair of DS3s and a router than can do hardware
> switching of packets, but that's pricey for both the up-front costs
> (12008+ router), and the MRCs of the DS3 circuits. With redundant circuits
> from 2+ providers, and decent BGP traffic balance, you will probably split
> the DDoS traffic between the two links improving your ability to survive
> by increasing your effective available capacity (assuming the DDoS is well
> distributed).
> 
> >  than those t1s (if there is an IX fairly close); or, see if cogent
> could bring in a circuit - they are still selling well below costs, and
> it would give you more bandwidth.  no reason to pay >$200Mb...
> 
> They're not really selling below cost. People bash them too much. Look
> deeper. They also can do Ethernet transport, so they might be cheap to get
> to some other service provider if you don't want to use them for IP
> transport. Not too many buildings are on-net for them though, and using a
> type-II circuit negates a lot of the cost savings.
> 
>     -Bill
> 
> 
> *****************************
> Waveform Technology
> UNIX Systems Administrator
> 
> 
> 
> 
> *****************************
> Waveform Technology
> UNIX Systems Administrator
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list