Re: DDoS detection and mitigation systems
Do you use/develop in-house tools to analyze Netflow on your peering routers and have that interface in near-realtime with the said routers to null route (BGP and RPF) the offending sources? Source or destination? Null routing source of DOS is not going to do you any good. Null routing destination, especially automatically null routing destination, creates a large possibility of shooting yourself in a foot. Alex
Re: DDoS detection and mitigation systems
On Mon, 3 Nov 2003, Alex Yuriev wrote: Do you use/develop in-house tools to analyze Netflow on your peering routers and have that interface in near-realtime with the said routers to null route (BGP and RPF) the offending sources? Source or destination? Null routing source of DOS is not going to do you any good. Null routing destination, especially automatically null routing unless you aren't concerned about pipe-usage and you runn uRPF on that pipe... destination, creates a large possibility of shooting yourself in a foot. yes, auto-actions for security, especially DoS-type things tend to shoot feet often :( Think Victoria Secret Fashion Show, or Cisco IOS upgrade for all platforms released under lots of press coverage (like the protocols problem earlier this year) -Chris
DDoS detection and mitigation systems
I am looking for real world feedback on the effectiveness of DDoS detection and mitigation devices from Riverhead, Top Layer, ISS (Proventia), Melior, etc. Some of them make pretty impressive claims of performance, too good to be true? This would be used in conjunction with other techniques as part of the defenses in layers approach to DDoS protection for my client. An important consideration would be the ability to scale to Gbps rate and beyond. Also, has anyone deployed Arbor Networks Peakflow or similar platforms to successfully detect and mitigate sizeable (100+ Mbps) DDoS attacks involving 1,000-20,000 attack sources? Do you use/develop in-house tools to analyze Netflow on your peering routers and have that interface in near-realtime with the said routers to null route (BGP and RPF) the offending sources? Last but not least, how many of you offer (or would offer) DDoS protection with strict SLA (e.g. attacks mitigated within X time units) as a value-added service? Thanks! Regards, Joe
