Re: PoC for shortlisted DDoS Vendors
hi nanog, back in april, Mohamed was reviewing the shortlist of DDoS appliances, would you mind posting a summary of your findings # partial list of DDoS appliances DDoS-Mitigator.net/Competitors - ? does anybody know which DDoS appliances uses IPtables to do its mitigation ?? iptables is good because it supports tarpit which can be used to counter attack the incoming TCP-based DDoS attackers ? Does any colo/datacenter ( in silicon valley or Las Vegas ) allow the customers to put a firewall at the ISP end of the pipe to prevent these ICMP/UDP floods from going down the pipe to the customer thanx alvin DDoS-Simulator.net === Simulate DDoS attacks DDoS-Mitigator.net === Defend against incoming DDoS attacks
Re: PoC for shortlisted DDoS Vendors
Not an appliance but WanGaurd might be a good match as well. We're currently evaluating it. http://www.andrisoft.com/software/wanguard -- Arzhel On Fri, Apr 3, 2015, at 01:31, den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
RE: PoC for shortlisted DDoS Vendors
WANGuard is great for detection but WANFilter failed my tests. I couldn't filter a 700mbit SYN flood. The best it did was to completely block TCP/80. It uses netfilter to block Layer3 attacks. It does have ACL support for some Intel NICs, but it doesn't use it near enough. -- Kate -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Arzhel Younsi Sent: Monday, April 06, 2015 11:48 AM To: nanog@nanog.org Subject: Re: PoC for shortlisted DDoS Vendors Not an appliance but WanGaurd might be a good match as well. We're currently evaluating it. http://www.andrisoft.com/software/wanguard -- Arzhel On Fri, Apr 3, 2015, at 01:31, den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: PoC for shortlisted DDoS Vendors
I have recommended RioRey to our clients. There have been no, or only minor, issues with any of the testing, mismatch with optics and that was a client issue. The RioRey box can be set in full bypass, monitor, or mitigation. You can install in bypass mode first to make sure everything is wired up correctly, then switch on monitor mode and see how it is doing. When your comfort level increases you can turn on full mitigation mode. Full disclosure I did work for RioRey years back, but for our clients we always try to recommend what works best for the client. On 04/01/2015 11:51 AM, Mohamed Kamal wrote: In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Joe Chisolm Computer Translations, Inc. Network and Datacenter Consulting Marble Falls, Tx.
Re: PoC for shortlisted DDoS Vendors
Hello! Yes, my toolkit can detect only volumetric attacks now. But I have finished performance tests for http protocol parser which could work on wire speed too. And I'm sure I will add support for http attack detection soon. Btw, syn flood attack detection could be implemented in few hours in current code base. If anyone interested in it I will do it shortly. In my day to day work we got fewbattacks everyday. They divided 50/50 for dns/ssdp/snmp amplification and syn flood on http servers. Other attacks is not dangerous for our network and backbone and mitifated manually in each case. On Thursday, April 2, 2015, Mohamed Kamal mka...@noor.net wrote: Hello Pavel, I'm certainly biased to the open-source tools if they do the job required, and I appreciate your effort exerted on this project. However, based upon what I saw under the features list of your tool, I assume that it can detect only volumetric DDoS attacks based upon anomalies such as excessive number of packets/bits/connections/flows per second based upon some previously learnt or set threshold values. But what about the protocol types of attack, which, in my humble opinion is becoming more aggressive day after day? Mohamed Kamal Core Network Sr. Engineer On 4/2/2015 5:03 PM, Pavel Odintsov wrote: Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com javascript:_e(%7B%7D,'cvml','den...@justipit.com'); den...@justipit.com javascript:_e(%7B%7D,'cvml','den...@justipit.com'); wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: PoC for shortlisted DDoS Vendors
On Wed, 01 Apr 2015 19:51:54 +0300 Mohamed Kamal mka...@noor.net wrote: The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Hi Mohamed, We recently introduced a community RTBH service called UTRS that might be a useful tool in your toolbox. Automated route relay went into effect not long ago and it seems to be working well. It isn't equivalent to any of the vendors you listed, but complimentary (and completely free :-) so I hope you don't mind me mentioning it. You can find more about it here: https://www.cymru.com/jtk/misc/utrs.html As for other tools... NfSen may be an open source option you want to consider. It can be extended with plugins you or others provide: http://nfsen.sourceforge.net/ Team Cymru has leveraged that with a set of plug-ins based on our insight for your network. If you want to talk to us about it, see: https://www.team-cymru.org/Flow-Sonar.html You might also check out: https://github.com/FastVPSEestiOu/fastnetmon https://bitbucket.org/tortoiselabs/ddosmon http://sourceforge.net/projects/panoptis/ Cisco has, or had the Cisco Guard family of products, formerly based on the Riverhead acquisition, but that platform was end-of-sale some time ago and is effectively dead. They (and some other hardware vendors) have since begun to license Arbor into their gear. John
Re: PoC for shortlisted DDoS Vendors
Hello Pavel, I'm certainly biased to the open-source tools if they do the job required, and I appreciate your effort exerted on this project. However, based upon what I saw under the features list of your tool, I assume that it can detect only volumetric DDoS attacks based upon anomalies such as excessive number of packets/bits/connections/flows per second based upon some previously learnt or set threshold values. But what about the protocol types of attack, which, in my humble opinion is becoming more aggressive day after day? Mohamed Kamal Core Network Sr. Engineer On 4/2/2015 5:03 PM, Pavel Odintsov wrote: Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com mailto:den...@justipit.com den...@justipit.com mailto:den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net javascript:; To: NANOG nanog@nanog.org javascript:; Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov
Re: PoC for shortlisted DDoS Vendors
You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: PoC for shortlisted DDoS Vendors
You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: PoC for shortlisted DDoS Vendors
Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net javascript:; To: NANOG nanog@nanog.org javascript:; Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov
PoC for shortlisted DDoS Vendors
In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: PoC for shortlisted DDoS Vendors
Why aren't you also looking at Hauwei? On Apr 01, 2015, at 09:53 AM, Mohamed Kamal mka...@noor.net wrote: In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer