-----Original Message----- From: Seth Mattinen [mailto:sethm@rollernet.us] Sent: Wednesday, June 01, 2011 2:44 AM To: nanog@nanog.org Subject: Re: Verisign Internet Defence Network
Sounds like a catch-22 though; if it's not always on and only starts scrubbing after an attack begins (pending activation approval from the customer which may take time), then the customer site is quite possibly already down when they start doing their thing to make it come back up.
Well that's exactly how it works in most cases. Customers don't usually avail of these types of services until there is a problem, which usually means their site is down in most cases. This is why having proper visibility is key as they can serve as an early warning system giving indication of an impending attack prior to it becoming big enough to bring the site down (usually it takes several minutes to ramp up the attack during the time the bots receive instruction-set from the bot herder). The problem with an always-on mitigation service is that there are additional latencies involved in the redirection (assuming it's not in-line), not to mention the inspections/proxying/filtering that the mitigation devices perform. Note that these latencies will be substantially less on an on-net service offering like Verizon's whereas they can be substantially higher on an off-net service offering from folks like Verisign/Prolexic, etc. These latencies are generally acceptable when a site is under attack, but not desired under normal circumstances. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC