DDoS Mitigation

Hello everyone,

Looking to find out how the pricing model works for DDoS mitigation and what to expect as far as ballpark pricing from my ISP. Some background, we are getting hit with a chargen attack that comes and goes and is saturating our 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want us to go through our rep, in the process making this go on longer that is necessary. Any feedback would be appreciated.




Just blocking port 19 won't cut it, as we often see Chargen attacks that run on nonstandard ports as well


This is my first post to Nanog. So please don't flame me down :wink:

Hi Mario.

Typically the cost of Ddos mitigation is charged on the amount of clean traffic inbound to your network, the number of protected /24 ranges you need protected and the number of datacentres you want to protect.

Ideally the Ddos mitigation solution should block attacks as close as possible to the source of the attack. One good way of doing this is by leveraging anycast from multiple scrubbing centres and ensure there is enough backbone bandwidth between each scrubbing centre to deliver clean traffic.

Blocking it at your upstream transit provider may be too late for significant attacks as any service provider between you and the source could black hole the traffic before it gets to your peers. This results in legitimate traffic not being able to reach your network.

Paras is correct, attacks could be on any port and often multivector and change within an attack campaign if attackers see one vector is not effective. So each attack really needs to be dealt with dynamically to ensure there are no false positives (something is blocked when it shouldn't be)

Unfortunately it is very simple to intimate a Ddos attack, but the cost of mitigation is very high. So the solution you choose really depends on the monetary cost of the outages, clients you have and whether the cost can be amortised over your client base.

I have seen service providers offer premium hosting services which have Ddos mitigation, using separate infrastructure and links to their normal customers. This reduces the cost of mitigation while also containing the risks and the collateral damage.

There are also different Ddos mitigation solutions depending on the service protocols your are offering. Ie web traffic could be mitigated with cdn vs all protocols and ports with BGP via a scrubbing centre.

James Tin
Enterprise Security Architect APJ
Join the Conversation.
Log on to Akamai Community. [http://www.akamai.com/images/img/community-icon-large.png] <https://community.akamai.com/>


Office: +<tel:+1.617.444.1234>61 9008 4906
Cell: +<tel:+1.617.444.1234>61 466 961 555
        Akamai Technologies
Level 7, 76 Berry St
North Sydney, NSW 2071

Connect with Us: [http://www.akamai.com/images/img/akamai-community-icon.jpg] <https://community.akamai.com/> [http://www.akamai.com/graphics/misc/rs_icon_small.png] <http://blogs.akamai.com/> [http://www.akamai.com/graphics/misc/tw_icon_small.png] <https://twitter.com/akamai> [http://www.akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/AkamaiTechnologies> [http://www.akamai.com/graphics/misc/in_icon_small.png] <http://www.linkedin.com/company/akamai-technologies> [http://www.akamai.com/graphics/misc/yt_icon_small.png] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>

Depends on the service, you might have better luck with versign or prolexic and they can get the services up and running quickly.
Joe Jenkins

a short answer for the OP is: "Find an ISP that will actually support you"

there are quite a few in the US that will filter traffic like this for
you (vzb will) on demand, provided the traffic is service impacting
and NOT 'victoria secret runway show' traffic.

alternately you could find an ISP that has a mitigation service (vzb,
att, ntt, sprint i think still does) and move your links there.

All of those are cheaper when under attack than the off-netork
solutions (generally).

Hello, Christopher!

Could you share "there are quite a few in the US that will filter
traffic like this for you" off-list?