Nanog group
I was wondering what are are using for DDOS protection in your networks. We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
advantages/disadvantages of using a cloud base vs an on-premise solution.
It would be great if you can share your experience on this matter.
Thank you
BlackLotus.com looks very good, with GRE tunneling and sensible provider level pricing.
-mel via cell
Radware DefensePro x420s is what we use.
Works great and extremely fast.
Just need to make sure where you install it on your network.
For best results you want to make sure you get the return traffic as well into the box otherwise it won't be able to detect all attacks.
-Romeo
I could suggest Voxility.com because they have very good network and
can defense any protocol.
And I can recommend qrator.net as best solution agains http/https
attacks. We use they for 2 years and got only positive feedback.
And if you need only ability to reroute to antiddos cloud/blackhole
specific IP you could try my open source tool FastNetMon:
https://github.com/FastVPSEestiOu/fastnetmon
Thank you!
Also how are folks testing ddos protection? What lab gear,tools,methods are you using to determine effectiveness of the mitigation.
I was wondering what are are using for DDOS protection in your networks. We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
advantages/disadvantages of using a cloud base vs an on-premise solution.
It would be great if you can share your experience on this matter.
On-premise solutions are limited by your own bandwidth. Attacks have been
publicly reported at 400Gbps, and are rumored to be even larger. If you
don't have that much network to spare, then packet loss will occur upstream
of your mitigation. Having a good relationship with your network
provider(s) can help here, of course.
If you go with a cloud-based solution, be wary of their SLA. I've seen
some claim 100% uptime (not believable) but of course no refund/credits for
downtime. Another provider only provides 20Gbps protection, then will
null-route the victim.
Also how are folks testing ddos protection? What lab gear,tools,methods
are you using to determine effectiveness of the mitigation.
Live-fire is the cheapest approach (just requires some creative trolling)
but if you want to control the "off" button, cloud VMs can be tailored to
your needs. There are also legitimate companies that do network stress
testing.
Keep in mind that you need to test against a variety of attacks, against
all components in the critical path. Attackers aren't particularly
methodical, but will still randomly discover any weaknesses you've
overlooked.
Damian
This gives some comparison of cloud based Ddos mitigation providers.
https://www.ombud.com/product/compare/prolexic-ddos-protection
While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close.
The average attack is usually around the 10g mark (That too barely) -- so even solutions that service up to 20g work alright.
Obviously, concerns are different if you're an enterprise that's a DDoS magnet -- but for general service providers selling 'protected services,' food for thought.
I'd beg to differ on this one. The average attacks we're seeing are double that, around the 30-40g mark. Since NTP and SSDP amplification began, we've been seeing all kinds of large attacks.
Obviously, these can easily be blocked upstream to your network. Hibernia Networks blocks them for us.
Ammar
Actually, bystander traffic is all-too-often affected by these very large reflection/amplification attacks, because they fill up peering/transit links:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
[Full disclosure: I work for a provider of IDMS solutions, but there's no vendor propaganda in the above-linked .pdf preso.]
Seeing a lot of SSDP too, but attacks on scales that large have been rare (at least for us).
Have however seen a few 40+ ones, yeah.
I suppose it all comes down to how much you actually /need/ to stand up against. For enterprises that can't afford to go down, yeah... 
Very true.
Last year's Atrato outages in NY come to mind on this one.
While it indeed is true that attacks up to 600 gbit/s (If OVH and
CloudFlare's data is to be believed) have been known to happen in the wild,
it's very unlikely that you need to mitigate anything close.
Agree that trusting others' numbers is unwise (there's a bias to inflate
sizes), but from personal experience I can say that their claims are
plausible.
The average attack is usually around the 10g mark (That too barely) -- so
even solutions that service up to 20g work alright.
I'm not sure how to compute an "average" -- I generally just track the
maximums. I suspect some reports of 10Gbps attacks are simply that the
attack saturated the victim's link, and they were unable to measure the
true size. (I agree there are many actual 10Gbps attacks also, of course
-- attackers know this size will usually work, so they don't waste
resources.)
Obviously, concerns are different if you're an enterprise that's a DDoS
magnet -- but for general service providers selling 'protected services,'
food for thought.
Even if you're just a hosting provider, your customers may be DDoS
magnets. Coincidentally, at the time you pressed "send", we were seeing a
40Gbps attack targeting a customer.
Damian
You'd notice that most people don't really know how big the attack that they're sending is. I've done a lot of research into how these attacks actually work and most of them are done by kids who don't really know what they're doing.
To them an attack is something that will take their target down (usually a home connection or a game server). If this doesn't happen, they fire off complaints to the person that runs the DDoS service.
Its a whole industry out there, and they're generally far ahead of us.
Ammar
If you go with a cloud-based solution, be wary of their SLA. I've seen
>> some claim 100% uptime (not believable) but of course no refund/credits
>> for
>> downtime.
I have encountered where they are willing to offer 100% sla for *their* DDOS mitigation equipment in the cloud. Not for your service.
-Hank
The really sad part is that in a huge of the cases we see, the attacks are hugely disproportionate - so many servers/services/applications/networks are so brittle and fragile and non-scalable that only a fraction of the pps/bps/cps/qps generated by the attackers would take them down, anyways.
Even worse, the attackers who don't know what they're doing routinely achieve their goals, anyways, due to the above plus the unpreparedness of the defenders. I've only run across a handful of organizations which proactively took appropriate defensive measures; most only do so in the aftermath of a successful attack.
It's easy to be an Internet supervillain.
Why does it seem like everyone is trying to "solve" this the wrong way?
Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're being used to attack people, but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified. When the unknowing end-user reached out to support over larger and larger parts of the Internet not working, they'd be told to clean up their system.
The way to stop this stuff is for those millions of end users to clean up their infected PCs.
but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified.
Just because we think something, that doesn't make it true.
;>
The way to stop this stuff is for those millions of end users to clean up their infected PCs.
You may want to do some reading on this topic in order to gain a better understanding of the issues involved:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
Some of us have been dealing with DDoS attacks for a couple of decades, now. If it were a simple problem, we would've solved it long ago.
Here's a hint: scale alone makes any problem literally orders of magnitude more difficult than any given instance thereof.