[c-nsp] Modern BGP peering border router and DDoS attack defe nse recommendations?

[Tantsura, Jeff]

I've started with - put your vital web based services in a 
tier 1/2 SP COLO.
>From my experience decent application based DoS attacks are not about Gigs
of traffic but exhaustion of Web server farm recourses.
Again, proper setup web server farm with decent load balancer in front
+ health check on application level will provide you great protection but
it's very expensive to build it

Jeff

-----Original Message-----
From: David J. Hughes [mailto:bambi at Hughes.com.au] 
Sent: 14 June 2005 11:25
To: Tantsura, Jeff
Cc: cisco-nsp at puck.nether.net; 'Arie Vayner'; sam_crooks at yahoo.com
Subject: Re: [c-nsp] Modern BGP peering border router and DDoS attack defe
nse recommendations?


On 14/06/2005, at 7:13 PM, Tantsura, Jeff wrote:

> There is no way you could ACL a proper setup DDoS without impacting 
> your
> customers. Imagine - web based VIP customer is getting instead of 
> usual 1K
> connections per second 10K, how would you ACL 9k of zombies?
> IMHO this could only be done with a long term analysis of what is 
> normal or
> abnormal to those specific hosts + traffic scrubbing.

Couldn't agree with you more.  However, from our experience, very few 
DOS attacks are properly setup.  In fact, most of them aren't very 
distributed at all.  Maybe a couple of hundred source addresses.  We 
have found that simple ASIC based L3 filtering has either totally 
countered or at least significantly reduced the impact of the vast 
majority of DDoS attacks we've seen.

I didn't say it was perfect, but it does get you quite a lot of 
protection.  To scrub the data you need to be 100% sure that your 
border routers can withstand whatever packet rate the attack eventually 
produces - and you never know what that rate will be.  If you can't 
cope, and your borders start falling over, the single client that is 
the attack target will be the least of your problems.


David
...