On Mon, Mar 24, 2008 at 5:18 PM, Roland Dobbins <rdobbins@cisco.com> wrote:
There are devices available today from different vendors (including Cisco, full disclosure) which are intelligent DDoS-'scrubbers' and which can deal with more sophisticated types of attacks at layer-7, including HTTP and DNS. S/RTBH is also an option, keeping in mind some of the caveats you mentioned (staying mindful of attacking hosts behind proxies, botted hosts of legit customers, et. al.).
Citrix (Netscaler), F5 (BIG-IP), and as Roland mentioned, Cisco, all offer varying levels of security for the content layer. If you're running Apache, you may also investigate mod_evasive, and in the case of exploits, mod_security. Naturally, your ability to filter and contain the attack with software is going to be limited by the host hardware, so it's best to take a layered approach to mitigating various attacks you face. Also important to be aware of your network architecture lest you find yourself with DDoS bits clogging the pipes just before your (expensive) defenses. :-) - Tim