[c-nsp] Modern BGP peering border router and DDoS attack defense
recommendations?
Arie Vayner
arievayner at gmail.com
Fri Jun 10 16:24:10 EDT 2005
Hi
I would have taken a slightly different approach if I had to operate a
web site which is worried about DDoS.
Instead of building very high (and expansive) walls (like buying
6500's for a web site that needs 2 T1's), I would have put a server in
a colo space using the minimum equipment I need (a pair of 2950...)
On top of that, I would have chosen a colo that is DDoS-aware, and
runs some kind of a shared DDoS protection system (like the late
Riverhead Guard/Cisco Guard XT 5650).
The colo operator would have more than enough
bandwidth/equipment/procedures to fight DDoS because they have them
all the time, and the Guard device would dramatically improve the
chances to be able to keep the site up and running during DDoS
attacks.
Arie
CCIE#12198
On 6/9/05, Sam Crooks <sam.a.crooks at gmail.com> wrote:
> I asked a question yesterday regarding setting up an org as an ASN with
> ARIN. thanks for the off-list responses. The process is underway.
>
>
>
>
>
> My question has 2 parts:
>
>
>
> What is the minimum router these days to peer with other AS's?
>
>
>
> 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
>
>
>
> Recommended router?
>
>
>
>
>
>
>
> As far as BGP peering, options being discussed with SPs are partial routes
> (with or without default route) and full routes (with and without default
> route). Current access speed to the Internet is 2xT1 at 2 locations, in an
> active-standby setup, static routes to the SPs, (no BGP, currently).
>
>
>
> Initial bandwidth needs would be similar, however, this will scale
> significantly (sales-driven), not to mention DDoS protection.
>
> The org is a ripe target for a DDoS attack, given the business (financial
> transaction processing). For example, here is a recent development in the
> industry: http://www.eweek.com/article2/0,1759,1662704,00.asp
>
>
>
>
>
> What access speed and router can withstand a DDoS attack these days,
> assuming appropriate security measures are taken (CAR, NBAR, bogon filters,
> etc)?
>
> Cost (as always) is an issue, however the business case could certainly be
> made to justify appropriately sized border routers and adequate access
> speeds. Note that this is not for transit for customers, but for internet
> connectivity for the enterprise for handling the business service traffic,
> and for withstanding DDoS attacks on the business.
>
>
>
>
>
> I appreciate any replies (off-list if you wish).
>
>
>
> Regards,
>
>
>
> Sam
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list