So, it would appear to me that simply analyzing netflow data, etc.,
at the time of a (D)DoS attack, and then black-holing (by hand) the
offending source addresses may not be the most scalable and
efficient way of dealing/coping/mitigating/staying-on-the-air
during an attack.
Of course, depending where you are on the food chain, the resources
one is trying to protect, the volume of DDoS traffic, etc, plays into
the equation, etc.
I was looking to see what opinions folks on the list may have on
the DDoS "appliance" vendor products available -- I'm particularly
looking for a stand-alone (or in conjunction with a 'traffic analysis'
box) to off-load DoS "mitigation" -- real-world experiences welcome.
I was looking to see what opinions folks on the list may have on
the DDoS "appliance" vendor products available -- I'm particularly
looking for a stand-alone (or in conjunction with a 'traffic analysis'
box) to off-load DoS "mitigation" -- real-world experiences welcome.
Two jobs ago, I was at UKSolutions (aka UKS). One of UKS's products is the UKShells brand which is a script kiddie magnet and has a good number of IRC servers running on the accounts. IRC servers are a DDoS magnet as you probably know, so UKS got rather good at automating DDoS mitigation so nobody has to get out of bed to deal with it nor do any customers really notice.
The exact details of the system a bit of a mystery to me, but it was a multi-faceted approach that did a fair bit of analysis of the traffic and quite selective in its filtering, and was most definitely rather effective against DDoSes that should by rights have crippled the whole ISP, never mind the single box that was being targetted.