[c-nsp] Modern BGP peering border router and DDoS attack defense recommendations?

Arie Vayner arievayner at gmail.com
Fri Jun 10 17:27:21 EDT 2005


My point about the 2950's was that you should not plan on fighting
DDoS by your own or by putting bigger routers.
I am working with many web sites/online applications that use a
firewall and a bunch of L2 switches in a colo space. This should be
more than enough for anything, except DDoS.

My other point was that DDoS should be delt with by the colo provider
based on a shared protection device and their infrastructure (which
would always be more robust than what you would be able to build,
unless you are building a new Google...)

Arie

On 6/11/05, Sam Crooks <sam.a.crooks at gmail.com> wrote:
> Thanks for the input...
> 
> I am evaluating shared DDoS as a purchased service, and potentially as
> a purchased appliance, but your solution is not feasible (L2 switches)
> for the application, as security requirements dictate a well defined
> and secure border.  Not a website, more of a sevice offering accepting
> transactions over the Internet and gateway-ing them to a different
> type of functional services network.  Initial bandwidth is NxT1....
> expected to scale up to (hopefully) OC-x or NxGbps level over time...
> the fuzzy-factors are what timeframe, and margin on services provided
> over the infrastructure.... (ie: if initial immediate profit is $50M
> USD, expected to grow, it makes no sense at all to even consider say
> 7304 vs 7600, as the cost factor is maybe 8 (???) but a much smaller
> fraction of the profit the equipment produces, than if say the initial
> immediate profit were $500k USD)..
> 
> 
> Make sense?
> 
> 
> I don't have enough information to make an informed business decision
> (it is being very closely held), so I am trying to craft a bare
> minimum, a medium and a large scale option (2 variants each, multi
> vendor and single vendor).... since I don't have and possibly won't be
> given the proper financials... this seems to be my best approach....
> 
> On 6/10/05, Arie Vayner <arievayner at gmail.com> wrote:
> > Hi
> >
> > I would have taken a slightly different approach if I had to operate a
> > web site which is worried about DDoS.
> > Instead of building very high (and expansive) walls (like buying
> > 6500's for a web site that needs 2 T1's), I would have put a server in
> > a colo space using the minimum equipment I need (a pair of 2950...)
> >
> > On top of that, I would have chosen a colo that is DDoS-aware, and
> > runs some kind of a shared DDoS protection system (like the late
> > Riverhead Guard/Cisco Guard XT 5650).
> > The colo operator would have more than enough
> > bandwidth/equipment/procedures to fight DDoS because they have them
> > all the time, and the Guard device would dramatically improve the
> > chances to be able to keep the site up and running during DDoS
> > attacks.
> >
> > Arie
> > CCIE#12198
> >
> > On 6/9/05, Sam Crooks <sam.a.crooks at gmail.com> wrote:
> > > I asked a question yesterday regarding setting up an org as an ASN with
> > > ARIN. thanks for the off-list responses.  The process is underway.
> > >
> > >
> > >
> > >
> > >
> > > My question has 2 parts:
> > >
> > >
> > >
> > > What is the minimum router these days to peer with other AS's?
> > >
> > >
> > >
> > > 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
> > >
> > >
> > >
> > > Recommended router?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > As far as BGP peering, options being discussed with SPs are partial routes
> > > (with or without default route) and full routes (with and without default
> > > route).  Current access speed to the Internet is 2xT1 at 2 locations, in an
> > > active-standby setup, static routes to the SPs, (no BGP, currently).
> > >
> > >
> > >
> > > Initial bandwidth needs would be similar, however, this will scale
> > > significantly (sales-driven), not to mention DDoS protection.
> > >
> > > The org is a ripe target for a DDoS attack, given the business (financial
> > > transaction processing).  For example, here is a recent development in the
> > > industry:  http://www.eweek.com/article2/0,1759,1662704,00.asp
> > >
> > >
> > >
> > >
> > >
> > > What access speed and router can withstand a DDoS attack these days,
> > > assuming appropriate security measures are taken (CAR, NBAR, bogon filters,
> > > etc)?
> > >
> > > Cost (as always) is an issue, however the business case could certainly be
> > > made to justify appropriately sized border routers and adequate access
> > > speeds.  Note that this is not for transit for customers, but for internet
> > > connectivity for the enterprise for handling the business service traffic,
> > > and for withstanding DDoS attacks on the business.
> > >
> > >
> > >
> > >
> > >
> > > I appreciate any replies (off-list if you wish).
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Sam
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>



More information about the cisco-nsp mailing list