[c-nsp] Cisco Guard & the detection/mitigation modules for the 6500

Drew Weaver drew.weaver at thenap.com
Tue Oct 3 10:25:44 EDT 2006


	1) The module for the "76k" series of devices really requires
SXF6 to work properly if you're going to deliver traffic back via GRE.
	2) Are you using the guard with any outside detection software?
(eg: arbor networks, etc..?)
	3) What are you "diverting" to the guard?

	The guard mostly does an ok job.  Depending on how it's
configured and the type of traffic diverted, you're likely to see
reasonable performance for most general applications.  You may need to
tune it for your enviroment.

	The overbuying bandwidth statement depends on who you are and
how you use the device.  The largest of these devices currently only
handles about a gig of traffic (today).  If you're seeing a multi-gig
attack, you either need multi-gigs of bandwidth with multiple guard
devices or to have your upstream(s) perform the mitigation for you.
Obviously attacks can vary and just hose a single upstream provider,
even if you have a 10g link to them.  If you have a 40g (oc768), i'd not
expect to see this problem today or in the semi-near future.

	If folks are determined enough, they'll fill up all your
bandwidth.  if what you want to do is mitigate a reasonable sized
attack, the guard can be a viable choice.  If they're really trying to
get you, you're SOL.  They'll make legit web requests and not just send
a syn/rst flood at you.

	- Jared
---------

Jared,

	In our hosting environment we have seen 600Mbps+ sized attacks
directed at 100Mbps ports which basically backscatters all of the
traffic > 100Mbps back upstream to our edges and in effect (eventually)
causes performance degredation. So it basically sounds like a who's got
the bigger pipe scenario? The 600 cable modem zombies, or your paid for
OC-12/Gig-E circuits? :D 

	Is it a common scenario for people to sign up for circuits which
are not used unless there is an attack? Or do people in the hosting
environment generally just pay a lot more for bandwidth than they would
ever need?

	Also, does anyone know of any transit providers which (if paid
well enough) will deploy ddos services at their end of the circuits?

Thanks,
-Drew
 



More information about the cisco-nsp mailing list