Internet2 Network Security SIG

["Magorian, Daniel F." <>]

Good Incapsula call today, ho being able to ask questions via audio next time 
would be lot nicer than typing them.

I've been talking to lot of DDoS vendors lately.  Wide variation in pricing 
for similar products, in some cases 2-10x.  Some have completely archaic 
pricing based on count of /24s, which in these days of NAT means you can have 
10G of traffic coming thru one address.  Or your /8 costs $55M/month.  All 
reps can do is discount heck out of it, can't change the model.  Important to 
figure out caveats to "flat rate" tiered pricing like "we ask you to upgrade" 
aka you get a bill post-facto if you don't.

Taxonomy:  Overall, although there are a lot of different service names, 
there is on-prem and off-prem scrubbing, and two kinds of off-prem scrubbing: 
 inline and bgp redirection.  Also, DDoS latency has 2 components:  
geographic, ie your inbound traffic goes elsewhere before coming to you, and 
scrubbing latency of the devices the service uses.

1) On-prem is a box like Arbor's, and some IPSes can DDoS scrub.  

Pros:

Fixed capex cost to buy it and yearly feed/maint, no costs/incident.

Better for long-duration slow attacks.

Can be used in hybrid system to signal redirection to off-prem with volume 
rise automatically.

Cons:

With big enough attack saturating lines to upstreams, on-prem can't mitigate 
that, so off-prem is necessary.


2) Off-prem inline (mostly a legacy service these days, see cons)

Pros:

Since your upstream ISPs have your traffic anyway before it gets to your 
locations, they can scrub it w/o a lot of visible plumbing to you or actions 
on your part.  However, there still might be geographic latency based on 
their internal plumbing to their scrubbers.

Cons:  

Every line or at least every ISP needs to have own scrubbing.  With 
multihoming to multiple ISPs, this becomes impractical.


3) Off-prem bgp-based redirection.  This is the current standard service.  
There's no intrinsic relationship between your upstream ISPs and the DDoS 
scrubbing service, tho some offer OEMed versions for easier 
payment/procurement.  The mechanism is that you are already bgp peered with 
the scrubbing location closest to you (to minimize geographic latency) and 
have pre-established GRE or other tunnels from that location via your normal 
ISPs back to your edge routers (multiple for diversity).  It needs to be 
tunneled so it looks like one hop to your edges and doesn't reroute some 
other path, eg in a loop back to the scrubber.  On an incident, which can be 
triggered several ways, your edge routers prepend your routes and the 
scrubber advertises your routes unprepended.  The scrubber's and their 
upstream ISPs will be in the path but should win over your prepended directs, 
so your traffic flows to them instead of directly to your edge routers, then 
they deliver it over the GRE tunnels to your edge routers.  
  
Pros:

Handles multiple ISPs and lines with one service which can be distinct from 
the ISPs

Cons:

A lot of fiddling around with turning it on and off manually or automatically 
and costs for that.  Some Fed agencies are always under attack and so leave 
it on permanently, but then pay the latency tax for that, so most places 
leave it off till needed.
You have to trust your DDoS services's lines and scrubbers are big enough 
that they won't get saturated themselves with volumetric attacks against 
multiple customers.  Everyone claims purpose-built for the latter, but 
they're usually proprietary.

Dan