Re: Ddos mitigation service
At 11:06 01/02/2013 -0500, Patrick W. Gilmore wrote: On Feb 01, 2013, at 10:02 , Paul Stewart p...@paulstewart.org wrote: Akamai (CDN) does scrubbing??? http://www.akamai.com/html/solutions/kona-solutions.html I'm sure there are other things Akamai does in the security sector as well. And now Juniper is possibly getting into the act: http://forums.juniper.net/t5/The-New-Network/Juniper-Networks-Acquires-Webscreen-Systems/ba-p/177177 -Hank
Re: Ddos mitigation service
+1 on Dosarrest, not so crazy price, used them before their support is awesome. Used to be called whypigsfly, heard that some of their techniques of mitigation we're used by prolexic as well. I'm not a sales rep. nor will I ever be. On Fri, Feb 1, 2013 at 10:28 AM, Joseph Chin l-na...@iodi.se wrote: From my personal experience, I am a fan of pure-play DDoS mitigation service providers (e.g. Prolexic, Dosarrest) because they are the least likely to give up on you when things get real difficult. Read the SLA careful to make sure it is fit for your purpose. -Original Message- From: James Thomas [mailto:j...@nimblesec.com] Sent: Friday, February 01, 2013 3:49 PM To: nanog@nanog.org Subject: Re: Ddos mitigation service Hi Pierre, Thank you for your interesting note. On 01/02/2013 09:57, Pierre Lamy wrote: The 3 major scrubbing vendors: Prolexic Verisign Akamai IIRC, CloudFlare claims to the same capcity of DDOS mitigation as Prolexic (500gb) and also has a free option with fewer scrubbing features. Do you have experience with it, or is there some other reason to have excluded it from your list? I apologize for my noobish question. Cheers, James -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
Re: Ddos mitigation service
The 3 major scrubbing vendors: Prolexic Verisign Akamai Prolexic has the ability to announce a /24 for you, and scrub the whole thing, then pipe it back to you via a GRE tunnel or dedicated circuit. All of the companies mentioned do this for a living, and are pretty good at what they do. There are other vendors as well that do FQDN scrubbing for you (which is the normal way to do it). You swing the DNS A record to point to their provisioned VIP, and they proxy back the traffic to you. This doesn't do anything to prevent attacks against IP addresses rather than resolved FQDNs. It's important to note that all mitigation techniques can have a negative impact and should be tested first. The scrubbing centers are only one solution and you should equip yourself with multiple layers of defense, separated by where they live: Beyond the carrier perimeter - Scrubbing farms in IP-routed mode - Scrubbing farms in DNS-routed mode - CDNs to deliver high value target pages, like main corporate pages and login windows - Globally Anycast DNS auth slaves through a CDN Beyond your perimeter (carriers) - Geoblocks - Zombie detection and rate limits - Flowspec routes via monitoring tools like Arbor's - Various other carrier-specific security offerings - Provision a secondary circuit to carry non-public IP space, for corporate web/out, phones, VPN etc. If the main pipe comes under attack, you can still carry out some critical business and B2B functions Within the perimeter - Load balancers - Firewalls - IPS - WAF - Reverse proxies - Blackhole routes - Flowspec routes (ie Arbor) - A span tap on the internet feed(s) connected to a tcpdump box (silly and cheap, but highly useful to generate sigs and collect intel) Not all DDoS are created equal, and there can always be some leakage by protections further out; the protections closer in allow for a faster and more granular response, but you're really limited to the circuit sizes, session limits etc. I would highly recommend that you also join industry specific cyberintelligence organizations, like any of the -ISACs, and/or a cyberintel provider if you don't have access to an -ISAC. The 3 major areas of infosec business focus in 2013 that I see will be insourcing malware analysis + automation of IOC generation, cyberintelligence, and DDoS mitigations. Businesses have realized that relying solely in external vendors to provide these services in a generic way results in good service but slower turnaround times; the insourced components become both a first tier of defense, and also a specialized set of incident responders that understand the business. Pierre On 31/01/2013 1:13 PM, matt kelly wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. Thanks.
RE: Ddos mitigation service
Akamai (CDN) does scrubbing??? Paul -Original Message- From: Pierre Lamy [mailto:pie...@userid.org] Sent: February-01-13 9:58 AM To: matt kelly Cc: nanog@nanog.org Subject: Re: Ddos mitigation service The 3 major scrubbing vendors: Prolexic Verisign Akamai
Re: Ddos mitigation service
Hi Pierre, Thank you for your interesting note. On 01/02/2013 09:57, Pierre Lamy wrote: The 3 major scrubbing vendors: Prolexic Verisign Akamai IIRC, CloudFlare claims to the same capcity of DDOS mitigation as Prolexic (500gb) and also has a free option with fewer scrubbing features. Do you have experience with it, or is there some other reason to have excluded it from your list? I apologize for my noobish question. Cheers, James
Re: Ddos mitigation service
On Feb 01, 2013, at 10:02 , Paul Stewart p...@paulstewart.org wrote: Akamai (CDN) does scrubbing??? http://www.akamai.com/html/solutions/kona-solutions.html I'm sure there are other things Akamai does in the security sector as well. -- TTFN, patrick -Original Message- From: Pierre Lamy [mailto:pie...@userid.org] Sent: February-01-13 9:58 AM To: matt kelly Cc: nanog@nanog.org Subject: Re: Ddos mitigation service The 3 major scrubbing vendors: Prolexic Verisign Akamai
Re: Ddos mitigation service
I'm aware that they exist but don't have any knowledge or experience with CloudFlare. if you're considering using them, I would ask them for a list (under NDA) of what large enterprises use them, what their POPs are - global is good - and for any analytical product they have relating to DDoS that they have mitigated and investigated. Also a procedure guide on how you would engage them in event of a DDoS. You should really be asking a lot of questions before signing anything with anyone, and once you select one - TEST IT!!! A lot of orgs do not test their mitigation processes. The total time to mitigation if you're not already swung to a provider, should be down to 30 mins to an hour, this is reasonable for detection to full mitigation in large companies. Without running through an exercise, companies will find that mitigation takes 1-4 hours. It's also highly recommended that you have incident handlers who are able to make big decisions. -Pierre On 01/02/2013 10:48 AM, James Thomas wrote: Hi Pierre, Thank you for your interesting note. On 01/02/2013 09:57, Pierre Lamy wrote: The 3 major scrubbing vendors: Prolexic Verisign Akamai IIRC, CloudFlare claims to the same capcity of DDOS mitigation as Prolexic (500gb) and also has a free option with fewer scrubbing features. Do you have experience with it, or is there some other reason to have excluded it from your list? I apologize for my noobish question. Cheers, James
RE: Ddos mitigation service
From my personal experience, I am a fan of pure-play DDoS mitigation service providers (e.g. Prolexic, Dosarrest) because they are the least likely to give up on you when things get real difficult. Read the SLA careful to make sure it is fit for your purpose. -Original Message- From: James Thomas [mailto:j...@nimblesec.com] Sent: Friday, February 01, 2013 3:49 PM To: nanog@nanog.org Subject: Re: Ddos mitigation service Hi Pierre, Thank you for your interesting note. On 01/02/2013 09:57, Pierre Lamy wrote: The 3 major scrubbing vendors: Prolexic Verisign Akamai IIRC, CloudFlare claims to the same capcity of DDOS mitigation as Prolexic (500gb) and also has a free option with fewer scrubbing features. Do you have experience with it, or is there some other reason to have excluded it from your list? I apologize for my noobish question. Cheers, James
Re: Ddos mitigation service
Arbor Networks.. On Thu, Jan 31, 2013 at 10:13 AM, matt kelly mjke...@gmail.com wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. Thanks. -- Best Regards, Kenneth McRae *Director, Network Operations* kenneth.mc...@dreamhost.com Ph: 818-447-2589 www.dreamhost.com
Re: Ddos mitigation service
On 1/31/13 10:13 AM, matt kelly wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. Prolexic.
Re: Ddos mitigation service
On Thu, Jan 31, 2013 at 1:13 PM, matt kelly mjke...@gmail.com wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. I would look at Verisign's VIDN product: http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/ddos/index.xhtml allan
Re: Ddos mitigation service
Look up DOSArrest. (dosarrest.com) 3 permanent cases easily solved with them. And no, I'm not one of their sales rep =D - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 01/31/13 13:13, matt kelly wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. Thanks.
Re: Ddos mitigation service
Hi Matt , Are you still looking for ddos protection? Thanks, Ameen Pishdadi On Jan 31, 2013, at 12:13 PM, matt kelly mjke...@gmail.com wrote: Can anyone recommended ddos mitigation companies with US east coast presence that provide the services via bgp? We are not interested in an appliance but rather offloading the traffic. Thanks.
