Two more options. And for Netflow device - read that to mean Arbor or its competitors.
5 Ditch the stateful firewall and exclusively use a netflow device 6. Outsource to a hosted DDoS mitigation service (Prolexic etc) On Tue, Jan 5, 2010 at 8:43 AM, Suresh Ramasubramanian <ops.li...@gmail.com> wrote: > Do you - > > 1. Have (say) two firewalls in HA config? > > 2. Back your firewall with routing based measures, S/RTBH, blackhole > communities your upstream offers, etc [the standard nspsec bootcamp > stuff] > > 3. Simply back the firewall with a netflow based device? > > 4. Estimate that the risk of a DDoS that exceeds your firewall's rated > capacity is extremely low? [and yes, 150k ++ connections per second > ddos is going to be massive, and relatively rare for most people]
