They're all lying... or telling the truth. Dependent upon their _own_ business models. I'd say: protect thy self. - ferg -- John Neiberger <jneiberger@gmail.com> wrote: I've been talking to various providers about their DDoS detection and mitigation services and I'd like to get some opinions about what I'm hearing. One provider prices their product based on how much traffic you will need to mitigate during an attack. The sales engineers say that most DDoS attacks are in the 2-3 Gbps range so, of course, they recommend that you pay for that much protection at great cost. Another provider (using the exact same hardware and software) costs about half as much per month. Yet another provider (again, using exactly the same hardware and software) has much more flexible pricing that is far more attractive, but that's because their engineers state that DDoS attacks are usually sized to match the size of the network they're attacking. For example, according to this sales engineer, attackers usually won't launch a 3 Gbps attack on someone who only has a handful of T1 circuits. So, this provider's pricing looks much more attractive to end-users who have smaller circuit size requirements. If you have a single T1, for example, you could buy 50 Mbps of protection and they say that's enough. What do you think? Is the first vendor closer to telling the truth, or is the third vendor? Or, is there really just no way of knowing ahead of time so you might as well pay for the most protection you can afford? Thanks, John -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Protect thyself how? For DDoS protection to work, the nasty traffic must be stopped before it gets to my access circuits. Once it gets close enough for me to do anything about it directly it's too late. The problem is that I don't know enough about DDoS traffic patterns to make an accurate assessment of these statements, which is why I asked the question here. I'll be doing other research on my own, of course, but I thought I'd check here first. Many thanks, John On 7/28/05, Fergie (Paul Ferguson) <fergdawg@netzero.net> wrote:
They're all lying... or telling the truth.
Dependent upon their _own_ business models.
I'd say: protect thy self.
- ferg
-- John Neiberger <jneiberger@gmail.com> wrote:
I've been talking to various providers about their DDoS detection and mitigation services and I'd like to get some opinions about what I'm hearing.
One provider prices their product based on how much traffic you will need to mitigate during an attack. The sales engineers say that most DDoS attacks are in the 2-3 Gbps range so, of course, they recommend that you pay for that much protection at great cost.
Another provider (using the exact same hardware and software) costs about half as much per month.
Yet another provider (again, using exactly the same hardware and software) has much more flexible pricing that is far more attractive, but that's because their engineers state that DDoS attacks are usually sized to match the size of the network they're attacking. For example, according to this sales engineer, attackers usually won't launch a 3 Gbps attack on someone who only has a handful of T1 circuits. So, this provider's pricing looks much more attractive to end-users who have smaller circuit size requirements. If you have a single T1, for example, you could buy 50 Mbps of protection and they say that's enough.
What do you think? Is the first vendor closer to telling the truth, or is the third vendor? Or, is there really just no way of knowing ahead of time so you might as well pay for the most protection you can afford?
Thanks, John
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
* John Neiberger:
Protect thyself how? For DDoS protection to work, the nasty traffic must be stopped before it gets to my access circuits. Once it gets close enough for me to do anything about it directly it's too late.
It depends. Quite a few DoS attacks are not based on bandwidth saturation or network device overload. On the other hand, if you address the easy ones within your own network, the attackers might switch to types which you can't deal with on your own. 8-( Anyway, you should examine *why* you (or your customers) are attacked, and address that. Everything else is likely cost-effective. Of course, this might mean you have to do without some revenue if you have customers that are DoS magnets for some reason.
On 29/07/05, Florian Weimer <fw@deneb.enyo.de> wrote:
Anyway, you should examine *why* you (or your customers) are attacked, and address that. Everything else is likely cost-effective. Of course, this might mean you have to do without some revenue if you have customers that are DoS magnets for some reason.
Not allowing your users to run eggdrop or other irc bots on the shells you give them, and generally not hosting irc stuff would definitely help there. -- Suresh Ramasubramanian (ops.lists@gmail.com)
* Suresh Ramasubramanian:
On 29/07/05, Florian Weimer <fw@deneb.enyo.de> wrote:
Anyway, you should examine *why* you (or your customers) are attacked, and address that. Everything else is likely cost-effective. Of course, this might mean you have to do without some revenue if you have customers that are DoS magnets for some reason.
Not allowing your users to run eggdrop or other irc bots on the shells you give them, and generally not hosting irc stuff would definitely help there.
Definitely. You should also help your customer to detect successful break-ins. Compromised machines are often used in very questionable contexts and quickly become targets of DoS attacks as well (not your average owned home computer, of course, it's more about multi-user UNIX machines).
Suresh Ramasubramanian wrote:
Not allowing your users to run eggdrop or other irc bots on the shells you give them, and generally not hosting irc stuff would definitely help there.
Filtering anything else than port 80 and maybe 53 would allow them to experience the Internet in safe and controlled manner! Pete
On 29/07/05, Petri Helenius <pete@he.iki.fi> wrote:
Filtering anything else than port 80 and maybe 53 would allow them to experience the Internet in safe and controlled manner!
Petri, if someone has to actually ask on nanog about ddos mitigation tools, he is much better off not having irc bots, or other such kick me signs^W ddos magnets on his network. Real world experience facing down ddos attacks, and googling for docs of other peoples' real world experiences should have come in useful long before asking for ddos mitigation 101 on nanog, if he really made a conscious decision to host these. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (5)
-
Fergie (Paul Ferguson)
-
Florian Weimer
-
John Neiberger
-
Petri Helenius
-
Suresh Ramasubramanian