[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

Sam Crooks sam.a.crooks at gmail.com
Fri Jun 10 17:20:50 EDT 2005 

Thanks for the input...

I am evaluating shared DDoS as a purchased service, and potentially as
a purchased appliance, but your solution is not feasible (L2 switches)
for the application, as security requirements dictate a well defined
and secure border.  Not a website, more of a sevice offering accepting
transactions over the Internet and gateway-ing them to a different
type of functional services network.  Initial bandwidth is NxT1....
expected to scale up to (hopefully) OC-x or NxGbps level over time...
the fuzzy-factors are what timeframe, and margin on services provided
over the infrastructure.... (ie: if initial immediate profit is $50M
USD, expected to grow, it makes no sense at all to even consider say
7304 vs 7600, as the cost factor is maybe 8 (???) but a much smaller
fraction of the profit the equipment produces, than if say the initial
immediate profit were $500k USD)..


Make sense?


I don't have enough information to make an informed business decision
(it is being very closely held), so I am trying to craft a bare
minimum, a medium and a large scale option (2 variants each, multi
vendor and single vendor).... since I don't have and possibly won't be
given the proper financials... this seems to be my best approach....

On 6/10/05, Arie Vayner <arievayner at gmail.com> wrote:
> Hi
> 
> I would have taken a slightly different approach if I had to operate a
> web site which is worried about DDoS.
> Instead of building very high (and expansive) walls (like buying
> 6500's for a web site that needs 2 T1's), I would have put a server in
> a colo space using the minimum equipment I need (a pair of 2950...)
> 
> On top of that, I would have chosen a colo that is DDoS-aware, and
> runs some kind of a shared DDoS protection system (like the late
> Riverhead Guard/Cisco Guard XT 5650).
> The colo operator would have more than enough
> bandwidth/equipment/procedures to fight DDoS because they have them
> all the time, and the Guard device would dramatically improve the
> chances to be able to keep the site up and running during DDoS
> attacks.
> 
> Arie
> CCIE#12198
> 
> On 6/9/05, Sam Crooks <sam.a.crooks at gmail.com> wrote:
> > I asked a question yesterday regarding setting up an org as an ASN with
> > ARIN. thanks for the off-list responses.  The process is underway.
> >
> >
> >
> >
> >
> > My question has 2 parts:
> >
> >
> >
> > What is the minimum router these days to peer with other AS's?
> >
> >
> >
> > 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
> >
> >
> >
> > Recommended router?
> >
> >
> >
> >
> >
> >
> >
> > As far as BGP peering, options being discussed with SPs are partial routes
> > (with or without default route) and full routes (with and without default
> > route).  Current access speed to the Internet is 2xT1 at 2 locations, in an
> > active-standby setup, static routes to the SPs, (no BGP, currently).
> >
> >
> >
> > Initial bandwidth needs would be similar, however, this will scale
> > significantly (sales-driven), not to mention DDoS protection.
> >
> > The org is a ripe target for a DDoS attack, given the business (financial
> > transaction processing).  For example, here is a recent development in the
> > industry:  http://www.eweek.com/article2/0,1759,1662704,00.asp
> >
> >
> >
> >
> >
> > What access speed and router can withstand a DDoS attack these days,
> > assuming appropriate security measures are taken (CAR, NBAR, bogon filters,
> > etc)?
> >
> > Cost (as always) is an issue, however the business case could certainly be
> > made to justify appropriately sized border routers and adequate access
> > speeds.  Note that this is not for transit for customers, but for internet
> > connectivity for the enterprise for handling the business service traffic,
> > and for withstanding DDoS attacks on the business.
> >
> >
> >
> >
> >
> > I appreciate any replies (off-list if you wish).
> >
> >
> >
> > Regards,
> >
> >
> >
> > Sam
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

More information about the cisco-nsp mailing list