[c-nsp] Modern BGP peering border router and DDoS attack defe nse recommendations?

David J. Hughes bambi at Hughes.com.au
Mon Jun 13 20:00:55 EDT 2005



On 13/06/2005, at 4:39 PM, Tantsura, Jeff wrote:

>
> Totally agree with Arie, I'd look especially in combination of DDoS
> mitigation tools with traffic scrub (Arbor + Riverhead Guard/Cisco 
> Guard XT
> 5650) would do just fine. Today is the only way to survive.

Running something like the Esphion's NetDetect product in combination 
with ASIC based L3 filtering as previously discussed gets you a long 
way to being "protected".  You can do basic detection with automated 
thresholding on netflow reports etc but we've found the detection rate 
of the Esphion box to be right up there.

The decision of whether to try to scrub the traffic in flight or to ACL 
it at the border depends greatly on what level of service you are 
providing to your customers - and whether trying to keep your customer 
up is as important as keeping your network up.


David
...



More information about the cisco-nsp mailing list