On Jan 29, 2010, at 10:04 AM, Jonathan Lassoff wrote:

> Something utilizing sflow/netflow and flowspec to block or direct traffic 
> into a scrubbing box gets you much better bang for your buck past a certain 
> scale.

This is absolutely key for packet-flooding types of attacks, and other attacks 
in which unadulterated pathological traffic can be detected/classified in 
detail, with minimal collateral damage.  Everyone should implement S/RTBH 
and/or flow-spec whenever possible, this cannot be emphasized enough.  
Operators have made significant investments in high-speed, ASIC-powered routers 
at their edges; there's no reason not to utilize that horsepower, as it's 
already there and paid for.

For situations in which valid and invalid traffic are highly intermixed, and/or 
layer-4/-7 heuristics are key in validating  legitimate traffic and 
invalidating undesirable traffic, the additional capabilities of an IDMS which 
can perform such discrimination can be of benefit.  As mentioned in a previous 
thread, it's possible to construct a base-level capability using open-source 
software, and commercial solutions from various vendors [full disclosure: I'm 
employed one of said vendors] are available, as well.

-----------------------------------------------------------------------
Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




Reply via email to