[c-nsp] Modern BGP peering border router and DDoS attack defe
nse recommendations?
Tantsura, Jeff
jtantsura at ugceurope.com
Tue Jun 14 05:13:49 EDT 2005
There is no way you could ACL a proper setup DDoS without impacting your
customers. Imagine - web based VIP customer is getting instead of usual 1K
connections per second 10K, how would you ACL 9k of zombies?
IMHO this could only be done with a long term analysis of what is normal or
abnormal to those specific hosts + traffic scrubbing.
Jeff
--
Jeff Tantsura CCIE# 11416
Senior IP Network Engineer
-----Original Message-----
From: David J. Hughes [mailto:bambi at Hughes.com.au]
Sent: 14 June 2005 02:01
To: Tantsura, Jeff
Cc: cisco-nsp at puck.nether.net; 'Arie Vayner'; sam_crooks at yahoo.com
Subject: Re: [c-nsp] Modern BGP peering border router and DDoS attack defe
nse recommendations?
On 13/06/2005, at 4:39 PM, Tantsura, Jeff wrote:
>
> Totally agree with Arie, I'd look especially in combination of DDoS
> mitigation tools with traffic scrub (Arbor + Riverhead Guard/Cisco
> Guard XT
> 5650) would do just fine. Today is the only way to survive.
Running something like the Esphion's NetDetect product in combination
with ASIC based L3 filtering as previously discussed gets you a long
way to being "protected". You can do basic detection with automated
thresholding on netflow reports etc but we've found the detection rate
of the Esphion box to be right up there.
The decision of whether to try to scrub the traffic in flight or to ACL
it at the border depends greatly on what level of service you are
providing to your customers - and whether trying to keep your customer
up is as important as keeping your network up.
David
...
More information about the cisco-nsp
mailing list