[c-nsp] Modern BGP peering border router and DDoS attack defe nse recommendations?

Tantsura, Jeff jtantsura at ugceurope.com
Mon Jun 13 02:39:31 EDT 2005 

Hi,

Totally agree with Arie, I'd look especially in combination of DDoS
mitigation tools with traffic scrub (Arbor + Riverhead Guard/Cisco Guard XT
5650) would do just fine. Today is the only way to survive. 

Jeff 

--
Jeff Tantsura  CCIE# 11416
Senior IP Network Engineer

-----Original Message-----
From: Arie Vayner [mailto:arievayner at gmail.com] 
Sent: 10 June 2005 22:24
To: sam_crooks at yahoo.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Modern BGP peering border router and DDoS attack
defense recommendations?

Hi

I would have taken a slightly different approach if I had to operate a
web site which is worried about DDoS.
Instead of building very high (and expansive) walls (like buying
6500's for a web site that needs 2 T1's), I would have put a server in
a colo space using the minimum equipment I need (a pair of 2950...)

On top of that, I would have chosen a colo that is DDoS-aware, and
runs some kind of a shared DDoS protection system (like the late
Riverhead Guard/Cisco Guard XT 5650).
The colo operator would have more than enough
bandwidth/equipment/procedures to fight DDoS because they have them
all the time, and the Guard device would dramatically improve the
chances to be able to keep the site up and running during DDoS
attacks.

Arie
CCIE#12198

On 6/9/05, Sam Crooks <sam.a.crooks at gmail.com> wrote:
> I asked a question yesterday regarding setting up an org as an ASN with
> ARIN. thanks for the off-list responses.  The process is underway.
> 
> 
> 
> 
> 
> My question has 2 parts:
> 
> 
> 
> What is the minimum router these days to peer with other AS's?
> 
> 
> 
> 3700/3800? 7200VXR? 7301? 7304? 7600? 12000GSR? M7? M10? M20? M40?
> 
> 
> 
> Recommended router?
> 
> 
> 
> 
> 
> 
> 
> As far as BGP peering, options being discussed with SPs are partial routes
> (with or without default route) and full routes (with and without default
> route).  Current access speed to the Internet is 2xT1 at 2 locations, in
an
> active-standby setup, static routes to the SPs, (no BGP, currently).
> 
> 
> 
> Initial bandwidth needs would be similar, however, this will scale
> significantly (sales-driven), not to mention DDoS protection.
> 
> The org is a ripe target for a DDoS attack, given the business (financial
> transaction processing).  For example, here is a recent development in the
> industry:  http://www.eweek.com/article2/0,1759,1662704,00.asp
> 
> 
> 
> 
> 
> What access speed and router can withstand a DDoS attack these days,
> assuming appropriate security measures are taken (CAR, NBAR, bogon
filters,
> etc)?
> 
> Cost (as always) is an issue, however the business case could certainly be
> made to justify appropriately sized border routers and adequate access
> speeds.  Note that this is not for transit for customers, but for internet
> connectivity for the enterprise for handling the business service traffic,
> and for withstanding DDoS attacks on the business.
> 
> 
> 
> 
> 
> I appreciate any replies (off-list if you wish).
> 
> 
> 
> Regards,
> 
> 
> 
> Sam
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list