I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source.
I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions.
Is the cause of this non-profit a controversial one with a good likelihood
of attracting the attention of demographics with the ability to mount DDoS
attacks? If your upstream can do it for a good price (on account of being a
non-profit organization) and they have lots of bandwidth along with a decent
stack of mitigation gear, and some clue on how to operate them, then that
should be the first choice. But DDoS mitigation is not their core business,
so be prepared for them to blackhole your IP if things get difficult. Make
sure your SLA is as bulletproof as possible or at least understand how bad
things can get before they bail out on you.
If the asset you want to protect is on standard web ports (ie 80 and 443)
and is a likely DDoS target (per my first question), then one of the
affordable DDoS-Mitigation-as-a-Service (DMaaS) providers would be a better
fit for the task. Your upstream will appreciate not becoming collateral
victim of the attack traffic. My good friend (who was also a co-founder of
Peer1) founded dosarrest.com. They seem to be quite successful and have
protected some high profile customers, so feel free to give them a call.
If the non-profit is in the high risk of attack profile (ie any cause that
is likely to offend techno-savvy bullies or religious fanatics), then you
should talk to Prolexic/Verisign/Neustar/NexusGuard. If you are in the high
risk category and you cause is that of free-speech, maybe the good folks at
virtualroad.org (with help from Prolexic) can help.
By coincidence we have just published the video archive of our "Mitigating
DDoS Attacks: Best Practices for an Evolving Threat Landscape" event last
Wednesday. It's at http://youtu.be/FR0660X9lGc
We'll have a full transcript up early next week.
I can think of few options here (basically restating what has been said
- Black hole routing on ISP side - just makes the client unreachable
outside ISP , available everywhere,
free. Not really a protection as aids the attacker in achieving his goal -
shutting down the client
- Managed DDOS As a Service on ISP side - ISP has a dedicated solution to
stop attacks on ISP premises (by dedicated I mean some hardware installed)
. Vendors vary (Arbor/Radware/etc..) and actually are not of much
importance to the end client - only SLA should be in place. Costs money,
advisable when undergoing non-stop/frequent attacks of moderate severity.
If an attack reaches gigabits bandwidth consumption the ISP may revert back
to Black Hole to protect its backbone and other clients.
- If speaking of web/email services - hosted solution is viable to some
degree (e..g Amazon AWS Cloudfront, Google Apps, CDNs etc) . IT is not a
DEDICATED hosted solution against DDOS, so be prepared for the provider to
shut down the client if the attack gets heavy enough
- Hosted web/email solutions WITH dedicated DDOS protection included,
including insurance that client will not be shut down on heavy load attack
(Prolexic etc) . Costs money (not cheap at all) and if your site is not to
be attacked like krebsonsecurity.com or fbi.gov probably an overkill.
Taking challenges one by one.
Try the DDoS attacks detection and mitigation software named WANGUARD
from http://www.andrisoft.com. It's not expensive and non-profit
organisations like you are granted with a 30% discount. Install it on
a Linux server and you'll have DDoS attacks detection in no time.
Since you're not a carrier the DDoS scrubbing feature won't be useful
to you, but the black hole routing probably will. You can also
configure it to send alerts to your upstream carrier or to your
Sounds like an advertisement to me
In the end there are few actual options (in general):
1) do it yourself
2) have your carrier do it for you
3) have a third party do it for you
There are cost and capability considerations with all of these, basically:
- you'll need more pipe - absorb all that can arrive, can you
handle an extra 100gbps of traffic? (or less, you could reasonably
build out for X gbps and just die under Y if the cost is unacceptably
large to absorb Y)
- more people-smarts - understand what is/isn't an attack,
understand peering, transit, costs, complexities, mitigation
techniques and costs involved.
- more equipment - mitigation gear (cisco guard, arbor tms, radware...etc)
- monthly (most times) cost for 'insurance', imagine paying an
uplift on your current bandwidth costs, for mitigation services,
pre-prepared, so all you need to is 'initiate mitigation' inside the
- people-cost in training to 'make the mitigation happen' (done
right at the carrier this is nothing more than a bgp update from
- monthly (or one-time) cost, you may be able to initiate it
one-time and walk away, with the attendant costs in management of
- routing changes (do you control at least the /24 around the
resource you need to mitigate?)
- tunneling complexity to return to you the 'clean' traffic
- dns shennigans for those ddos-mitigation folks who don't do
routing change, or prefer DNS ones.
pick what works for you... or your charity org.
While Google's business isn't DDoS mitigation, we do see plenty of attacks
on user content we host (Google Hosted Services backed by Blogger, App
Engine, or other properties) and it's generally not a problem (thinking
back over the past few years I can't remember ever terminating a victim).
Happy to host more victims, as the attacks provide good (if unplanned)
load tests. Send me an email if you want to discuss special needs, and
I'll let you know how we might be able to help.