Hi Payam, I agree that if you have a bottleneck then remove it. I don't suggest firewalls for surviving DDoS and would recommend a router with ACL's which will have a better survivability due to PPS performance. There will be a point however where the cost of designing your network to survive will outweigh the cost of a DDoS Protection Service. When you see attacks of over 100G this starts to become a costly exercise.
Mike On 15 April 2016 at 09:02, Payam Chychi <pchy...@gmail.com> wrote: > Having created ddos mitigation solutions and specialized networks, it's > not that simple as certain companies can't simply offload data and provide > their say ssl key to a ddos mitigation provider (simplest port http/https > proxy solution)... and most companies wont have the proper equipment to > perform ipsec or gre + bgp offloading nor will the have the funds to pay > +10k-15k MRC. > > So... if you already have a 10gig pipe and the 'current' bottleneck is > your asa5500 'state' then fix that the best you can while assessing what > your longer term goals are > > try putting in drop ACLs above to deny what you dont need. enable tcp syn > proxy if you can and setup aggressive age timeout so the table does not max > out. Install proper monitoring to identify attacks and use the information > for better drop acls. A decent linux server with latest Iptables which now > fully supports a new syn proxy can handle almost 2Mil req/second without > impact to other traffic. > > Cisco ASA (any of them) were never meant to be ddos mitigation appliances. > Replacing the asa with a Juniper SRX will help greatly > Put a proper ddos appliance in front to filter bad traffic, then use your > asa for your ips/ids/security which will be fine at lower levels. > > > Thanks, > Payam > > > > > On 2016-04-14, 3:45 PM, Michael Gehrmann wrote: > > +1 for for Dave's comment. You can only survive until your upstream is > congested. > > Mike > > On 15 April 2016 at 08:05, Dave Bell <m...@geordish.org> wrote: > >> In my opinion trying to scrub DDoS traffic yourself is a losing battle. >> Its >> likely that an attacker can easily fill the ingress points onto your >> network. If this is the case, then legitimate traffic will be dropped >> before it even hits you. The damage is already done. The only way around >> this is bigger links, which can be costly and your not even guaranteed to >> have links big enough to cope with an attack. >> >> You're better off looking at your upstreams to assist you with this. They >> likely have some form of traffic scrubbing solution that you can employ >> when under attack. Its likely a lot easier for you to administrate too. >> >> Regards, >> Dave >> >> On 14 April 2016 at 22:57, Payam Chychi <pchy...@gmail.com> wrote: >> >> > What gear do you currently have? What do your filtering rules look like? >> > You don't need to buy new gear if your filtering much of the bad >> traffic at >> > the edge using simple ACLs >> > >> > >> > >> > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<do...@telecurve.com>, >> wrote: >> > > Why not use an external service to scrub your traffic? >> > > >> > > Regards, >> > > >> > > Dovid >> > > >> > > -----Original Message----- >> > > From: Satish Patel<satish....@gmail.com >> > > Sender: "juniper-nsp"<juniper-nsp-boun...@puck.nether.net>Date: Thu, >> 14 >> > Apr 2016 17:35:17 >> > > To:<juniper-nsp@puck.nether.net >> > > Subject: [j-nsp] Cisco vs Juniper confused >> > > >> > > This is my first port here, We are small size of company and now we >> > > are getting harsh by DDoS stuff. We have 10G link in our network >> > > terminated on L3 Cisco switch and from there other switches. >> > > Everything was working great but recently we started seeing DDoS more >> > > and more. They are filling 10G link using NTP, IPFrag etc. attack. >> > > >> > > Now we are looking for big gear so we keep bad guys out and scrub >> > > traffic but confused between Juniper Vs Cisco war.. I am not able to >> > > decide what to buy and how it will help us. I have following in my >> > > mind, We thought about ASR firewall too but not sure because it can >> > > handle DDoS or not. >> > > >> > > Need your suggestion what i should buy and why? One more thing we are >> > > planning to run BGP so we can do null triggering etc. >> > > >> > > MX80 vs ASR100X - Does this enough to handle DDoS and filter traffic? >> > > >> > > MX240 vs ASR900X >> > > _______________________________________________ >> > > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > _______________________________________________ >> > > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > Michael Gehrmann > Senior Network Engineer - Atlassian > m: +61 407 570 658 > > > -- Michael Gehrmann Senior Network Engineer - Atlassian m: +61 407 570 658 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp