Having created ddos mitigation solutions and specialized networks, it's
not that simple as certain companies can't simply offload data and
provide their say ssl key to a ddos mitigation provider (simplest port
http/https proxy solution)... and most companies wont have the proper
equipment to perform ipsec or gre + bgp offloading nor will the have the
funds to pay +10k-15k MRC.
So... if you already have a 10gig pipe and the 'current' bottleneck is
your asa5500 'state' then fix that the best you can while assessing what
your longer term goals are
try putting in drop ACLs above to deny what you dont need. enable tcp
syn proxy if you can and setup aggressive age timeout so the table does
not max out. Install proper monitoring to identify attacks and use the
information for better drop acls. A decent linux server with latest
Iptables which now fully supports a new syn proxy can handle almost 2Mil
req/second without impact to other traffic.
Cisco ASA (any of them) were never meant to be ddos mitigation
appliances. Replacing the asa with a Juniper SRX will help greatly
Put a proper ddos appliance in front to filter bad traffic, then use
your asa for your ips/ids/security which will be fine at lower levels.
Thanks,
Payam
On 2016-04-14, 3:45 PM, Michael Gehrmann wrote:
+1 for for Dave's comment. You can only survive until your upstream is
congested.
Mike
On 15 April 2016 at 08:05, Dave Bell <m...@geordish.org
<mailto:m...@geordish.org>> wrote:
In my opinion trying to scrub DDoS traffic yourself is a losing
battle. Its
likely that an attacker can easily fill the ingress points onto your
network. If this is the case, then legitimate traffic will be dropped
before it even hits you. The damage is already done. The only way
around
this is bigger links, which can be costly and your not even
guaranteed to
have links big enough to cope with an attack.
You're better off looking at your upstreams to assist you with
this. They
likely have some form of traffic scrubbing solution that you can
employ
when under attack. Its likely a lot easier for you to administrate
too.
Regards,
Dave
On 14 April 2016 at 22:57, Payam Chychi <pchy...@gmail.com
<mailto:pchy...@gmail.com>> wrote:
> What gear do you currently have? What do your filtering rules
look like?
> You don't need to buy new gear if your filtering much of the bad
traffic at
> the edge using simple ACLs
>
>
>
> On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<do...@telecurve.com
<mailto:do...@telecurve.com>>, wrote:
> > Why not use an external service to scrub your traffic?
> >
> > Regards,
> >
> > Dovid
> >
> > -----Original Message-----
> > From: Satish Patel<satish....@gmail.com
<mailto:satish....@gmail.com>
> > Sender: "juniper-nsp"<juniper-nsp-boun...@puck.nether.net
<mailto:juniper-nsp-boun...@puck.nether.net>>Date: Thu, 14
> Apr 2016 17:35:17
> > To:<juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
> > Subject: [j-nsp] Cisco vs Juniper confused
> >
> > This is my first port here, We are small size of company and
now we
> > are getting harsh by DDoS stuff. We have 10G link in our network
> > terminated on L3 Cisco switch and from there other switches.
> > Everything was working great but recently we started seeing
DDoS more
> > and more. They are filling 10G link using NTP, IPFrag etc. attack.
> >
> > Now we are looking for big gear so we keep bad guys out and scrub
> > traffic but confused between Juniper Vs Cisco war.. I am not
able to
> > decide what to buy and how it will help us. I have following in my
> > mind, We thought about ASR firewall too but not sure because
it can
> > handle DDoS or not.
> >
> > Need your suggestion what i should buy and why? One more thing
we are
> > planning to run BGP so we can do null triggering etc.
> >
> > MX80 vs ASR100X - Does this enough to handle DDoS and filter
traffic?
> >
> > MX240 vs ASR900X
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp