netsec-sig - [Security-WG] DDoS mitigation service taxonomy
Subject: Internet2 Network Security SIG
List archive
- From: "Magorian, Daniel F." <>
- To: "" <>
- Subject: [Security-WG] DDoS mitigation service taxonomy
- Date: Thu, 17 Sep 2015 19:58:52 +0000
- Accept-language: en-US
Good Incapsula call today, ho being able to ask questions via audio next time
would be lot nicer than typing them.
I've been talking to lot of DDoS vendors lately. Wide variation in pricing
for similar products, in some cases 2-10x. Some have completely archaic
pricing based on count of /24s, which in these days of NAT means you can have
10G of traffic coming thru one address. Or your /8 costs $55M/month. All
reps can do is discount heck out of it, can't change the model. Important to
figure out caveats to "flat rate" tiered pricing like "we ask you to upgrade"
aka you get a bill post-facto if you don't.
Taxonomy: Overall, although there are a lot of different service names,
there is on-prem and off-prem scrubbing, and two kinds of off-prem scrubbing:
inline and bgp redirection. Also, DDoS latency has 2 components:
geographic, ie your inbound traffic goes elsewhere before coming to you, and
scrubbing latency of the devices the service uses.
1) On-prem is a box like Arbor's, and some IPSes can DDoS scrub.
Pros:
Fixed capex cost to buy it and yearly feed/maint, no costs/incident.
Better for long-duration slow attacks.
Can be used in hybrid system to signal redirection to off-prem with volume
rise automatically.
Cons:
With big enough attack saturating lines to upstreams, on-prem can't mitigate
that, so off-prem is necessary.
2) Off-prem inline (mostly a legacy service these days, see cons)
Pros:
Since your upstream ISPs have your traffic anyway before it gets to your
locations, they can scrub it w/o a lot of visible plumbing to you or actions
on your part. However, there still might be geographic latency based on
their internal plumbing to their scrubbers.
Cons:
Every line or at least every ISP needs to have own scrubbing. With
multihoming to multiple ISPs, this becomes impractical.
3) Off-prem bgp-based redirection. This is the current standard service.
There's no intrinsic relationship between your upstream ISPs and the DDoS
scrubbing service, tho some offer OEMed versions for easier
payment/procurement. The mechanism is that you are already bgp peered with
the scrubbing location closest to you (to minimize geographic latency) and
have pre-established GRE or other tunnels from that location via your normal
ISPs back to your edge routers (multiple for diversity). It needs to be
tunneled so it looks like one hop to your edges and doesn't reroute some
other path, eg in a loop back to the scrubber. On an incident, which can be
triggered several ways, your edge routers prepend your routes and the
scrubber advertises your routes unprepended. The scrubber's and their
upstream ISPs will be in the path but should win over your prepended directs,
so your traffic flows to them instead of directly to your edge routers, then
they deliver it over the GRE tunnels to your edge routers.
Pros:
Handles multiple ISPs and lines with one service which can be distinct from
the ISPs
Cons:
A lot of fiddling around with turning it on and off manually or automatically
and costs for that. Some Fed agencies are always under attack and so leave
it on permanently, but then pay the latency tax for that, so most places
leave it off till needed.
You have to trust your DDoS services's lines and scrubbers are big enough
that they won't get saturated themselves with volumetric attacks against
multiple customers. Everyone claims purpose-built for the latter, but
they're usually proprietary.
Dan
- [Security-WG] DDoS mitigation service taxonomy, Magorian, Daniel F., 09/17/2015
Archive powered by MHonArc 2.6.24.