[c-nsp] Any good Cisco (or other vendor) appliances for application server DDoS prevention?
Dobbins, Roland
rdobbins at arbor.net
Mon Dec 21 20:43:46 EST 2009
On Dec 22, 2009, at 8:23 AM, Steve Bertrand wrote:
> I've even heard of some 'upstream' providers offering a community, that after you've proven yourself to have clue, will allow you to BH up to a /29 within their network...
Yes - however, this is going to be destination-based blackholing, in which one is essentially completing the DDoS for the attacker.
There's value in that, however, as the concept of partial service recovery is a valid one.
> ps. this is looking at the issue from a standpoint that not all DDoSs are bandwidth-saturating. Most that I've faced have not involved bandwidth saturation, but denial of service via more strategic, thoughtful and intriguing means.
Sadly, it all too often requires little in the way of bandwidth, throughput, strategy, thought, or intrigue to effectively DDoS many sites/properties, due to poor design and non-adherence to even the most basic principles of resilience and availability:
<http://www.nanog.org/meetings/nanog47/presentations/Monday/Dobbins_ISPSecTrac_N47_Mond.pdf>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list