Experience on Wanguard for 'anti' DDOS solutions

Ramy_Hashish · August 12, 2015, 2:28pm

Date: Tue, 11 Aug 2015 08:14:54 +0200
From: "marcel.duregards@yahoo.fr" <marcel.duregards@yahoo.fr>
To: nanog@nanog.org
Subject: Re: Experience on Wanguard for 'anti' DDOS solutions
Message-ID: <55C992DE.3020906@yahoo.fr>
Content-Type: text/plain; charset=windows-1252; format=flowed

anybody from this impressive list ?:

https://www.andrisoft.com/company/customers

-- Marcel

Anybody here compared Wanguard's performance with the DDoS vendors in the
market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ......)?

Another question, have anybody from the reviewers tested the false
positives of the box, or experienced any false positive incidents?

Thanks,

Ramy

Fabien_Delmotte · August 12, 2015, 3:42pm

Hello

My 2 cents
You can use Wanguard for the detection and A10 for the mitigation, you have just to play with the API.

Regards

Fabien

alvin_nanog · August 13, 2015, 1:20am

hi ramy

Anybody here compared Wanguard's performance with the DDoS vendors in the
market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ......)?

wouldn't the above "comparison" be kinda funky comparing software solutions
with hardware appliances and/or cloud scubbers ??

comparisons between vendors should be between sw solutions,
or hw appliances vs other hw, or cloud vs other clouds

wanguard should be compared with other sw options or vendors using
sflow, netflow, jflow, etc etc
  http://www.andrisoft.com/software/wanguard
  http://bitbucket.org/tortoiselabs/ddosmon
  http://www.github.com/FastVPSEestiOu/fastnetmon
  http://nfdump.sourceforge.net
  http://nfsen.sourceforge.net

wanguard - software solution using sflow
http://www.andrisoft.com/software/wanguard

arbor ---- hardware/software solutions -- "peakflow"
http://www.arbornetworks.com/products/peakflow

radware -- hardware/software/cloud solutions -- "defenseflow"
http://www.radware.com/products/attack-mitigation-service/
http://www.radware.com/Products/DefenseFlow/

nsfocus -- hardware/cloud solutions
http://www.nsfocus.com/products/

A10 ------ hardware solution
http://www.a10network.com/products

riorey --- hardware solution
http://www.riorey.com/riorey-ddos-products

staminus - hardware/cloud solutions
http://www.staminus.net/shield

# and to add to the ddos confusion ..

akamai/prolexic --- hardware/cloud solution

f5 ---------------- hardware/cloud solutions
http://www.f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology

fortinet ---------- custom ASIC hardware and cloud solution
http://www.fortinet.com/products/fortiddos/ddos-mitigation-appliances.html

- simulated ddos attacks should include:

Ramy_Hashish · August 13, 2015, 4:42am

Hello Fabien,

And why don't you use A10 for both detection and mitigation?

Thanks,

Ramy

Marcel_Duregards · August 13, 2015, 5:14am

you can try to get some financials (probably poor technical) view on DDOS :
http://www.infonetics.com/pr/2014/1H14-DDoS-Prevention-Appliances-Market-Highlights.asp

The DDOS prevention Appliances report is not free, and I doubt it's really technical
But at least you could know what your financial guys might think. Could help you if you want to convince them to buy Arbor :-).

- Marcel

Marcel_Duregards · August 15, 2015, 12:07pm

One thing which is not so obvious is to reduce false positive.
This is hard when you have a mix of traffic profiles/patterns within your network, with customers in differents domains (scientists, financials, video addicted, torrent addicted, etc...) with different bandwidth.

a)
Does anybody tried to separate ip range by traffic profile to apply specific rule/profile per ip allocation?

puts all financials clients into range X/X and define rule Z
puts all scientists clients into range Y/Y and apply rule Q
etc....

Does this help ?

b)
One other method could be to classify customers by their bandwidth.

profile 1. from 10-100M
profile 2. 100-500M
profile 3. 500M-1000M
profile 4. >1000M

Like this you do not mix big BW with small BW customer, and do not get alerted when client from profile 4 start to download at 1G.

Any experience ?

My guess is that solution b is better than a. Not so easy to classify traffic pattern per group of client.

Thank, best regards.
- Marcel

Ramy_Hashish · August 27, 2015, 5:54am

Let me disagree to some extent, we have contacted most of the above
vendors, selling a HW doesn't necessarily mean they are HW based solution,
most of them run their SW/algorithm on an x86 machine.

Thanks,

Ramy

Ramy_Hashish · September 30, 2015, 6:05am

Again Fabien,

Why didn't you use A10 for both detection and mitigation?

Thanks,

Ramy