I'm in the midst of rebuilding/upgrading our backbone and peering -
sessions cheerfully accepted - and am curious what folks recommend
in the DDoS mitigation appliance realm? Ideally it would be capable
of 10Gbps and circa 14Mpps rate of mitigation. If you have a
recommendation, I'd love to hear it and the reasons for it. If you
have an alternative to an appliance that has worked well for you
(we're a mix of Cisco and Juniper), I'm all ears.
Private responses are fine, and I'm happy to summarize back to the
list if there is interest.
Thank you!
Rob.
- --
Rabbi Rob Thomas Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern
I would say you are making some assumptions that are not fact based. The OP is very knowledgeable and would not mince words or waste bandwidth. Let us see what he has to say in regards to your remarks. He will be able to make this more clear once he has read what people have stated in other responses.
I would like the list to know that not all targets attract such large attacks. I know many eyeball ISPs that encounter less than 10 gig attacks, which can be reasonably absorbed\mitigated. Online gamers looking to boot someone else from the game aren’t generally committing >100 gigs of resources to an attack.
There are two very good reasons to use 'surgical' amounts of traffic in
attacks:
1. Concealing the size of your botnet
2. Reducing the damage to the end user's ISP, and thus reducing the
likelihood that they escalate the attack to the authorities (because
who's got the time to do that for an individual subscriber?)
The shift to "just enough to knock the customer off without killing the
whole network" happened around ~2015 in my capacity, at least.
a PoC quite a while ago with RioRey worked quite satisfying but we are working with Arbor since a couple of years. It works okay and is insanely expensive. Mostly because of the price I wouldn’t recommend it but I’m not sure if there is anything in the market technically on the same level but with a lower price. We did a PoC with A10 2 years ago as a possible replacement but the concept is completely different so we couldn’t convince ourselves yet to switch.
Thank you to all who have generously given your time to respond
publicly and privately. I have a long list of things to research
while configuring our shiny new Juniper routers. I'll summarize
to the list shortly.
Be well!
Rob, the routing rabbi.
- --
Rabbi Rob Thomas Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern
My thanks again to all who responded with suggestions, tips, and
further considerations. I appreciate it very much!
As promised, here is my pithy summary of your detailed suggestions.
I've included URLs for those who may wish to conduct further research.
We've not made our selection yet, and likely won't until early 2020.
At present I'm busy building out our new backbone, and thus can't yet
offer up my own recommendation. Who needs sleep?
Several folks shared their architecture and deployment
recommendations, which were quite insightful. Placement of these
devices, and in particular a centralized monitoring solution for
distributed deployments, were keys to success.
There were no support concerns for any of these suggestions.
Folks have used open source and freeware, but generally recommended
commercial offerings. These required less manual intervention.
It was aces to see so many folks employing techniques such as flowspec
and RTBH.
DDoS appliance recommendations:
. Anycast and fat pipes
  - Multiple votes
. Massive peering
  - Multiple votes
  - Be ready for peering requests from me
I evaluated fastnetmon using exactly the 'quick setup' and found it to have some serious problems with false alarms and statistical anomalies, at least when using pure netflow data (did not try sampled mode).� Hosts that were not in fact receiving >100mbps traffic (a traffic level I predetermined as 'attack' for a given network segment), would occasionally get flagged as such (and rtbh activated), while 2 real attacks that came during the testing period (60 days for me) went completely unnoticed. Support seemed to concede that sampled mode is really the only accurate method, and which by this time I'd expended all my interest. Great concept, cool integration, just not ready for prime time.
- and am curious what folks recommend