On Thu, Dec 19, 2013 at 10:30 PM, den...@justipit.com <den...@justipit.com>wrote:
> Just about every security, network and ADC vendor out there is claiming > anti-dos capabilities. Be careful when going that route and do your own > validation. I suggest looking at Radware and Arbor (both leaders in the > market). To successfully mitigate an attack the ideal solutions will weed > out the attack and allow legitimate traffic to continue. Many of the > solutions in the commercial market are not much more than rate limiters and > are not very forgiving. Just as important realize while spoofed udp floods > are popular they are oftened only the first vector, if successfully > mitigated attackers quickly adjust and follow with more complex vectors > such as application attacks toward http, ssl, dns query floods, etc.. > Remember their goal is to bring you down, , divert your attention while > they steal your data or perhaps transfer funds. They will go to far > lengths to achieve their end result. As you can imagine it's much harder > to identify the attack characteristics or for that matter the attacker in > these more complex cases. In summary, I'm a firm believer in a hybrid > approach with combination of infrastructure acls, rtbh, qos, URPF, tcp > stack hardening, local anti-ddos appliances for application attacks and > network floods under link capacity to allow you to stay up while deciding > to shift routes into cloud band ability to swing up stream to cloud > scrubbing center (in house or third party). > I know a bit about Radware, and what they do is to learn a traffic pattern from where traffic usually comes and when in case of exceeding a certain threshold, they start dropping traffic from new sources never seen before and then drop some seen before traffic. This works if you are a company with a very localized visitor base (like banking site for certain national or local bank, e-shop and so on) but it kind of doesn't scale that much when it comes to we have people all over the place and we get DDoS-ed with legitimate requests that only consume server resources. What providers do in some regions is to blackhole your subnet if you reach a certain number of packets per second. It sucks, but hey, they also have infrastructure to protect. Eugeniu
