On Thu, 28 Jul 2005, John Neiberger wrote:
Ferg,
That's an understandable attitude given the nature of your networks. In our case, I'm just talking about two or three T1s that provide Internet connectivity to our website for our customers.
I appreciate your input, though. I will accept all advice and input if it gets me closer to a better understanding of the realities of topic at hand and if it helps weed out some of the marketing fluff that's being heaped upon me by salespeople. :)
Ok, so why not jump in with 1 foot atleast :) A note first though: 1) UUNET/MCI does sell this product (I don't sell it personally, I don't sell anything actually) 2) UUNET/MCI's sales method for this product is 'confusing' (to me atleast, but recall I'm a chemical engineer...) 3) UUNET/MCI has been providing this service for free for 6+ years, now with special gear and a price for 'enhanced services' now, down to business. The core of your question is two parts: a) how much should you spend b) how much protection do you need For the 'a' part a few folks have said: "Pay what you are willing to part with". That means you have to decide how much protection you want and how much you'll need (see 'b'). For 'b' I can say, after 5+ years defending UUNET's customers globally (well, the team I work on does this globally it's not just me) and giving a talk here or there about this subject: "Attackers will do just enough to be effective" Keep in mind there is no way for them to know you have a 9600 baud modem or a oc-48. I've seen 400mbps attacks against modem users, and a modem's worth of 'attack' aimed at a oc-12 customer :( Normally the attackers aim a weapon at the victim, shoot and add more weapons if required. They will add more until they get their effect. This COULD mean that if you purchased 60 gbps of attack mitigation capacity you'd get screwed in the end... There is a trade off: "how much is realistic to expect", this has nothing to do with your end-site connectivity. I'd aim at an average (high average) attack size. I'd aim at 500mbps/1gbps, I'd also ask a few other questions: 1) how does this mitigation get started? (phone call, ticket, call back? or customer initiated bgp update? or prayers to the ddos-mitigation-god?) 2) how much capacity is available regardless of what is purchased? 3) how quickly can extra capacity be added if required? (days? hours? seconds? at all?) 4) how much latency will be incurred if I have a /32 under mitigation? what about a /24? a /16? does it matter? 5) how much granularity in the policy of said device(s) do I have? 6) how does reporting work for this service? (how do I know anything is happening?) 7) are there dedicated individuals prepared to answer my questions at 0dark:30 on a Saturday Christmas night? As I said, I do this for a living, I have a little bit of a bias :) but I'm sure if you listen to Mr. Feger he's a smart guy as well, who knows this problem as well as I do... Good luck! If you want other info about this service (the mci version of it) and don't want to jaw with a sales droid you can get me off-list. Same goes for other folks, I'd just note I'm away from email a bit over the next few days so I may be a little slow to respond :) -Chris