Hello, Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice). Mike-
On Thu, Oct 29, 2015 at 08:42:31AM -0700, Mike wrote:
Is there any DDoS mitigation service provider that can scrub traffic for an ISP network?
Yeah, plenty. A non-exhaustive list: Prolexic, Incapsula, Staminus or Nexusguard. There is no lack of choice.
I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time.
It is more common to set up the GRE tunnel before hand, and just send out the BGP announcement of the /24 when an IP within that /24 is under attack. Kind regards, Job
On Thu 2015-Oct-29 08:42:31 -0700, Mike <mike-nanog@tiedyenetworks.com> wrote:
Hello,
Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice).
Mike-
In no particular order: - Prolexic (Akamai) - Arbor Networks - Staminus - Black Lotus - Incapsula - Radware This is not an endorsement for any of the above. Alternatively: http://lmgtfy.com/?q=ddos+protection -- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone)
On 10/29/2015 08:54 AM, Hugo Slabbert wrote:
On Thu 2015-Oct-29 08:42:31 -0700, Mike <mike-nanog@tiedyenetworks.com> wrote:
Hello,
Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice).
Mike-
In no particular order:
- Prolexic (Akamai) - Arbor Networks - Staminus - Black Lotus - Incapsula - Radware
This is not an endorsement for any of the above. Alternatively: http://lmgtfy.com/?q=ddos+protection
Actually I did the google thing first and followed up with several of the top results, and not once did I see anyone offering a bgp tunnel + scrub which is why I asked. I did get some good off list responses however, thanks all. Mike-
Alternatively: http://lmgtfy.com/?q=ddos+protection
Actually I did the google thing first and followed up with several of the top results, and not once did I see anyone offering a bgp tunnel + scrub which is why I asked. I did get some good off list responses however, thanks all.
Mike-
Apologies for the snarky link. A Google search on my end turned up several of the solutions I listed manually and which definitely do GRE + BGP. Apparently my past searches on the subject have coloured my current results more than I expected... -- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone)
Hello! Could recommend folks from EU - http://qrator.net/en/ Two years without any issues. Perfect SSL and http filtration. On Thu, Oct 29, 2015 at 10:53 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
Alternatively: http://lmgtfy.com/?q=ddos+protection
Actually I did the google thing first and followed up with several of the top results, and not once did I see anyone offering a bgp tunnel + scrub which is why I asked. I did get some good off list responses however, thanks all.
Mike-
Apologies for the snarky link. A Google search on my end turned up several of the solutions I listed manually and which definitely do GRE + BGP. Apparently my past searches on the subject have coloured my current results more than I expected...
-- Hugo
hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)
-- Sincerely yours, Pavel Odintsov
participants (4)
-
Hugo Slabbert -
Job Snijders -
Mike -
Pavel Odintsov