Agreed, my shortlist for evaluation would include Arbor, Radware and Genie NRM. New players to the market include just about every IPS and application load balancing solution out there. -------------------------------------------------- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> Sent: Thursday, January 31, 2013 10:23 AM To: "Piotr" <piotr.1234@interia.pl> Cc: <nanog@nanog.org> Subject: Re: box against dos/ddos

arbor peakflow to start with?

On Thursday, January 31, 2013, Piotr wrote:

...

Hi,

I looking some box (vendor, model), which i can put out of the main/product network, which can analyze packets netflow,sflow,syslog from bgp router(s) and after discover some anomaly it can do some action, for example:

- Box have bgp session with bgp router and advertise attacked ip prefix with some community. Bgp router set next-hop for this prefix to /dev/null

Normal traffic via bgp router is about 1G/s in and 10G/s out

What is worth of looking and what you suggest ?

thanks for help, Piotr

-- --srs (iPad)

I think Radware has to sit inline. I do not believe they offer BGP offramp, so keep that in mind. On Thu, Jan 31, 2013 at 10:39 AM, Jay Coley <j@jcoley.net> wrote:

+1 for Radware

On 31/01/2013 18:36, dennis wrote:

...

Agreed, my shortlist for evaluation would include Arbor, Radware and Genie NRM. New players to the market include just about every IPS and application load balancing solution out there.

-------------------------------------------------- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> Sent: Thursday, January 31, 2013 10:23 AM To: "Piotr" <piotr.1234@interia.pl> Cc: <nanog@nanog.org> Subject: Re: box against dos/ddos

...

arbor peakflow to start with?

On Thursday, January 31, 2013, Piotr wrote:

...

Hi,

I looking some box (vendor, model), which i can put out of the main/product network, which can analyze packets netflow,sflow,syslog from bgp router(s) and after discover some anomaly it can do some action, for example:

- Box have bgp session with bgp router and advertise attacked ip prefix with some community. Bgp router set next-hop for this prefix to /dev/null

Normal traffic via bgp router is about 1G/s in and 10G/s out

What is worth of looking and what you suggest ?

thanks for help, Piotr

-- --srs (iPad)

-----Original Message----- From: Carlos Kamtha [mailto:kamtha@ak-labs.net] Sent: Thursday, January 31, 2013 13:53 To: Piotr Cc: nanog@nanog.org Subject: Re: box against dos/ddos

Arbour Peakflow is probably the way to go.

However if you don't want to spend a ton of money, you might want to consider using a stub router +bgp coupled with a server running the appropriate SNMP tools (perhaps cacti) to publish your desired data.

It's not the most convenient solution but it should do..

Cheers.

-CK

On Thu, Jan 31, 2013 at 03:37:41PM +0100, Piotr wrote:

...

Hi,

I looking some box (vendor, model), which i can put out of the main/product network, which can analyze packets netflow,sflow,syslog from bgp router(s) and after discover some anomaly it can do some action, for example:

- Box have bgp session with bgp router and advertise attacked ip prefix with some community. Bgp router set next-hop for this prefix to /dev/null

Normal traffic via bgp router is about 1G/s in and 10G/s out

What is worth of looking and what you suggest ?

thanks for help, Piotr

Most larger ISPs offer this as a service that you can add on with existing contracts. They usually guarantee up to a certain bandwidth level what they will provide as "clean pipe service". Be advised most ISPs are only able to scrub to L3, anything higher and you have to start looking at Verisign, Prolexic or similar and/or something in house. Especially for SSL based attacks. Thanks. Justin