Ddos mitigation service

Can anyone recommended ddos mitigation companies with US east coast
presence that provide the services via bgp? We are not interested in an
appliance but rather offloading the traffic.


Arbor Networks..


I would look at Verisign's VIDN product:



Look up DOSArrest. (dosarrest.com)

    3 permanent cases easily solved with them.

    And no, I'm not one of their sales rep =D

Hi Matt ,

Are you still looking for ddos protection?

Ameen Pishdadi

The 3 major scrubbing vendors:


Prolexic has the ability to announce a /24 for you, and scrub the whole thing, then pipe it back to you via a GRE tunnel or dedicated circuit. All of the companies mentioned do this for a living, and are pretty good at what they do. There are other vendors as well that do FQDN scrubbing for you (which is the normal way to do it). You swing the DNS A record to point to their provisioned VIP, and they proxy back the traffic to you. This doesn't do anything to prevent attacks against IP addresses rather than resolved FQDNs.

It's important to note that all mitigation techniques can have a negative impact and should be tested first. The scrubbing centers are only one solution and you should equip yourself with multiple layers of defense, separated by where they live:

Beyond the carrier perimeter
- Scrubbing farms in IP-routed mode
- Scrubbing farms in DNS-routed mode
- CDNs to deliver high value target pages, like main corporate pages and login windows
- Globally Anycast DNS auth slaves through a CDN

Beyond your perimeter (carriers)
- Geoblocks
- Zombie detection and rate limits
- Flowspec routes via monitoring tools like Arbor's
- Various other carrier-specific security offerings
- Provision a secondary circuit to carry non-public IP space, for corporate web/out, phones, VPN etc. If the main pipe comes under attack, you can still carry out some critical business and B2B functions

Within the perimeter
- Load balancers
- Firewalls
- Reverse proxies
- Blackhole routes
- Flowspec routes (ie Arbor)
- A span tap on the internet feed(s) connected to a tcpdump box (silly and cheap, but highly useful to generate sigs and collect intel)

Not all DDoS are created equal, and there can always be some leakage by protections further out; the protections closer in allow for a faster and more granular response, but you're really limited to the circuit sizes, session limits etc. I would highly recommend that you also join industry specific cyberintelligence organizations, like any of the -ISACs, and/or a cyberintel provider if you don't have access to an -ISAC. The 3 major areas of infosec business focus in 2013 that I see will be insourcing malware analysis + automation of IOC generation, cyberintelligence, and DDoS mitigations. Businesses have realized that relying solely in external vendors to provide these services in a generic way results in good service but slower turnaround times; the insourced components become both a first tier of defense, and also a specialized set of incident responders that understand the business.


Akamai (CDN) does scrubbing???


Hi Pierre,

Thank you for your interesting note.


I'm sure there are other things Akamai does in the security sector as well.

I'm aware that they exist but don't have any knowledge or experience with CloudFlare.

if you're considering using them, I would ask them for a list (under NDA) of what large enterprises use them, what their POPs are - global is good - and for any analytical product they have relating to DDoS that they have mitigated and investigated. Also a procedure guide on how you would engage them in event of a DDoS. You should really be asking a lot of questions before signing anything with anyone, and once you select one - TEST IT!!! A lot of orgs do not test their mitigation processes. The total time to mitigation if you're not already swung to a provider, should be down to 30 mins to an hour, this is reasonable for detection to full mitigation in large companies. Without running through an exercise, companies will find that mitigation takes 1-4 hours. It's also highly recommended that you have incident handlers who are able to make big decisions.


From my personal experience, I am a fan of pure-play DDoS mitigation service

providers (e.g. Prolexic, Dosarrest) because they are the least likely to
give up on you when things get real difficult. Read the SLA careful to make
sure it is fit for your purpose.

+1 on Dosarrest, not so crazy price, used them before their support is
awesome. Used to be called whypigsfly, heard that some of their
techniques of mitigation we're used by prolexic as well.

I'm not a sales rep. nor will I ever be.

And now Juniper is possibly getting into the act: