From: Ash (nester2k@gmail.com)
Date: Mon Oct 01 2007 - 00:49:31 ART
Another alternative for curbing DOS would be blackholing the destination
server in question by advertising the destination with a blackhole community
to the ISP. if your entire service subnet is being ddos'd and assuming your
pipes arent getting saturated, there's other solutions such as Arbor and
CISCO guard that can do anamoly detection and scrubbing to prevent the
traffic from reaching your servers within your internet segment. This will
keep your server/site/service up.
Best approach is to buy DDOS protection from ISP but they'll chage you an
arm and a leg for it unfortunately, plus DDOS anomaly detection isn't
offerred everywhere in NA either.
features like TCP intercept can help upto a point but will result in cpu
spikes on the box and depending on your chassis, may takedown the peering
altogether. When the volume is massive, tcp intercept will have a hard time
keeping up and you'll need some powerful appliances to detect and mitigate
DOS traffic.
HTH,
On 8/3/07, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> Just an OT question for the collective: are BGP routers a suitable
> location
> to run TCP Intercept?
>
> I would think that the edge of my network is a perfect place to try to
> defend against DOS attacks but I don't know what negative side effects
> might
> appear (if any) by doing this.
>
> ---
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:11 ART