[c-nsp] Cisco Guard & the detection/mitigation modules for the6500

[Matt Buford]

>> In our hosting environment we have seen 600Mbps+ sized attacks
>> directed at 100Mbps ports which basically backscatters all of the
>> traffic > 100Mbps back upstream to our edges and in effect (eventually)
>> causes performance degredation. So it basically sounds like a who's got
>> the bigger pipe scenario? The 600 cable modem zombies, or your paid for
>> OC-12/Gig-E circuits? :D
>
> Depending on what you're doing, you may want to do some rate-limits
> to trim down on the traffic headed at these ports upstream.

At least in my experience, the high-backscatter from the guard comes from 
SYNfloods.  For every SYN, a SYN+ACK must be sent (if you want to be safe 
and keep things working).  You get 1 gigabit of SYNs inbound and the guard 
spits 1 gigabit of SYN+ACKs outbound.  Hosting providers often have lots of 
free inbound, but already busy outbound.  This can lead to the guard's 
SYN+ACKs congesting outbound capacity, perhaps affecting all customers 
instead of just the DDoS victim.

>> Is it a common scenario for people to sign up for circuits which
>> are not used unless there is an attack? Or do people in the hosting
>> environment generally just pay a lot more for bandwidth than they would
>> ever need?
>
> I've heard of people that will buy a 2nd gig-e and such just for
> the deployment of stuff like the guard, cloudshield and other types
> of DoS "scrubber" boxen.

What we do is take gige handoffs from all of our providers, and then keep 
commit levels on each circuit low (like 100 mbit).  This works well, keeping 
costs down and burst capacity high.  However, we are typically located in 
facilities with our transit providers right in the building, so there is no 
WAN circuit cost.  High burst capacity is much harder when you have to 
transport it across a WAN connection...

>> Also, does anyone know of any transit providers which (if paid
>> well enough) will deploy ddos services at their end of the circuits?
>
> I think most (large) providers have services along
> these lines.  You may not find it universal across all your providers
> but it's something a quick query to your isp security team or sales
> team may provide you with a good answer.  If you're sufficently
> multihomed, you may want/need to do this service internally.

I'm a hosting provider, not an ISP, but just something to keep in mind: 
Somehow the customer has to pay for that bandwidth.  I've seen many 
customers excited about the idea of us keeping them online through a DoS 
attack, but then they are unable/unwilling to pay their bandwidth bill after 
their server that they normally pay a few hundred dollars a month for 1TB 
transfer per month does a gigabit inbound and a gigabit outbound (SYN+ACK 
backscatter) for days or even weeks.