[c-nsp] Modern BGP peering border router and DDoS attack defe nse
recommendations?
David J. Hughes
bambi at Hughes.com.au
Mon Jun 13 20:00:55 EDT 2005
On 13/06/2005, at 4:39 PM, Tantsura, Jeff wrote:
>
> Totally agree with Arie, I'd look especially in combination of DDoS
> mitigation tools with traffic scrub (Arbor + Riverhead Guard/Cisco
> Guard XT
> 5650) would do just fine. Today is the only way to survive.
Running something like the Esphion's NetDetect product in combination
with ASIC based L3 filtering as previously discussed gets you a long
way to being "protected". You can do basic detection with automated
thresholding on netflow reports etc but we've found the detection rate
of the Esphion box to be right up there.
The decision of whether to try to scrub the traffic in flight or to ACL
it at the border depends greatly on what level of service you are
providing to your customers - and whether trying to keep your customer
up is as important as keeping your network up.
David
...
More information about the cisco-nsp
mailing list