Dan, If you are using sFlow for your measurements, then you might want to take a look sFlow-RT for DDoS mitigation. The following case study describes how sFlow and null routing are being used to mitigate flood attacks:
http://blog.sflow.com/2013/03/ddos.html The analytics engine will detect flood attacks in less than a second and you can use the embedded scripting API to initiate automated responses. The following articles contain basic DDoS mitigation scripts - you just need to replace the block() and allow() functions with calls to expect scripts, OpenFlow rules, or REST API calls - whatever makes sense in your environment. http://blog.sflow.com/search/label/DoS This is a commercial product, but it's free to try out (no registration required): http://inmon.com/products/sFlow-RT.php Cheers, Peter On Wed, Dec 18, 2013 at 8:36 AM, Dan White <dwh...@olp.net> wrote: > Can anyone recommend a vendor solution for DDOS mitigation? We are looking > for a solution that detects DDOS attacks from sflow information and > automatically announces BGP /32 blackhole routes to our upstream providers, > or a similar solution. > > Thank You. > > > On 08/05/13 21:09 +1000, Ahad Aboss wrote: > >> Scott, >> >> Use a DDOS detection and mitigation system with DPI capabilities to deal >> with traditional DDOS attack and anomalous behaviour such as worm >> propagation, botnet attacks and malicious subscriber activity such as >> flooding and probing. There are only a few vendors who successfully play >> in >> this space who provide a self healing/self defending system. >> >> Cheers >> Ahad >> -----Original Message----- >> From: sgr...@airstreamcomm.net [mailto:sgr...@airstreamcomm.net] >> Sent: Friday, 2 August 2013 11:37 PM >> To: nanog@nanog.org >> Subject: ddos attacks >> >> I’m curious to know what other service providers are doing to >> alleviate/prevent ddos attacks from happening in your network. Are you >> completely reactive and block as many addresses as possible or null0 >> traffic >> to the effected host until it stops or do you block certain ports to >> prevent >> them. What’s the best way people are dealing with them? >> >> Scott >> > > -- > Dan White > >