I looked at one of the suggested out-sourced providers. Based on a sample size of 1, the mitigating mechanisms are DNS redirection and BGP/tunneling.
While both of these solutions may be useful for an end-user (even large ones), I don't see them fitting in an SP environment. "If something goes wrong, I want my own, local, big-red button." Rick On Tue, Jan 5, 2010 at 7:50 AM, Martin Hannigan <mar...@theicelandguy.com>wrote: > > > On Mon, Jan 4, 2010 at 4:19 PM, Rick Ernst <na...@shreddedmail.com> wrote: > >> Looking for D/DoS mitigation solutions. I've seen Arbor Networks >> mentioned >> several times but they haven't been responsive to literature requests >> (hint, >> if anybody from Arbor is looking...). Our current upstream is 3x GigE >> from >> 3 different providers, each landing on their own BGP endpoint feeding a >> route-reflector core. >> >> I see two possible solutions: >> - Netflow/sFlow/***Flow feeding a BGP RTBH >> - Inline device >> >> > > - Outsource to service provider > > > Netflow can lag a bit in detection. I'd be concerned that inline devices >> add an additional point of failure. I'm worried about both failing-open >> (e.g. network outage) and false-positives. >> > > How often are you getting DDoS'd? > > The financials of using a managed service provider vs. > buy-all-your-own-grrovy-stuff can be fairly compelling especially if the > amount of DDoS you experience is almost nil. > > Re: Arbor. I don't have any recent experience, but they've been around for > a long time, have a very experienced team that understands ISP and > enterprise and the product is mature. Hard to go wrong if you can justify > the costs. YMMV. > > Best, > > -M< > > > -- > Martin Hannigan mar...@theicelandguy.com > p: +16178216079 > Power, Network, and Costs Consulting for Iceland Datacenters and Occupants > >
