Hi,
We have 4 x 10G DIAs with different providers, and we also have a direct 10G loop to a scrubbing center in Europe (via a 10G wavelenght).
We have a custom solution in place to divert inbound traffic to the scrubbing center when things get ugly, which works really really well. We can also do some filtering locally, but we are trying to improve our on premise filtering and divert less to the scrubbing center. As BGP convergency time is not ideal, and we have better peering when using all our providers.
As we host VMs we have a quite nice custom distributed filtering set on our hypervisors (really custom stuff build over time using iptables, scripts, etc, etc...) and our main firewalls. We are one of this companies that still uses huge Linux machines to router all traffic -and even detect an filter DDOS attacks- as we have quite a bit of experience an understanding of the linux network stack.
But it's really time consuming, as every time there is a new kind of attack, we need to manually sample the attack, find how to filter it -without affecting legitimate traffic- performance test the new rules, etc, etc... And it consumes plenty of time.
So, we are considering other options, to reduce the human time required to manage all this.
What would you recommend to filter small DDOS attacks locally? And what's your experience with that solution? (And if you could give us a hint about the pricing we would also appreciate it :)
Thanks!
No comments:
Post a Comment