Except Checkpoint, so we can save money on hardware?

Software and hardware solutions can only mitigate (ACLs/filters) the effect of, but not prevent DDoS attack. FloodGuard used to be free, now one can get it for $10 mo if on the TP network.

Originally posted by Imago
Software and hardware solutions can only mitigate (ACLs/filters) the effect of, but not prevent DDoS attack. FloodGuard used to be free, now one can get it for $10 mo if on the TP network.

But I'm on colo, so any software solutions available?

Have a look at this
http://www.netzentry.com

You're going to need a provider that is able to handle your DDoS (perhaps ask your current provider). There are no software solutions that will effectively handle the problem as the trouble with DDoS roots back to either full out bandwidth saturation and/or the inability of your ethernet port to handle the frames.

Whats the point when the packets have already reached your server.

There is no solution to stopping a DDoS.
As someone mentioned you should find out how your provider usually deals with DDoS. Are they proactive (monitor traffic patterns) or reactive (pull the plug) ?

Software solutions are pretty much worthless when it comes to DDoS. Most hardware solutions are as well.

Flood Guard at TP wont hold Bigger attacks...

Originally posted by RapidFire
Whats the point when the packets have already reached your server.

By using hardware the packets still reach our servers, firewall will only block the packets if it was detected to be malicious.

Originally posted by datums
There is no solution to stopping a DDoS.
As someone mentioned you should find out how your provider usually deals with DDoS. Are they proactive (monitor traffic patterns) or reactive (pull the plug) ?

Fortunately we did not reach a large-scale DDoS flooding our uplink yet, or the attack was not large enough as it was mitigated by our firewall. ;)

NOC will monitor the traffic and if it reach a certain level, they will give us a call then pull our plug.

It depends what kind of firewall you're using. Sure, if its not robust or "smart" enough, its not going to notice your attack. Expect to spend a cool $12,000 on a decent hardware solution (upwards to $40,000 for something a bit nicer).

DeathNova,

I wonder what kinds of hardware your company use to mitigate DDoS attack?

Originally posted by server4sale
Flood Guard at TP wont hold Bigger attacks...

Flood Guard provides some protection from DOS/DDOS. There's no point in stopping the packets once they've gone through your port, but if your upstream provider (The Planet in this case) will do it for you (before they reach your port), go with it. Odds are, The Planet's network could take a really, really big hit before it would go down.

nowisph:

Right now we lease the right to use some equipment that Limelight has on their network currently in addition to some custom engineered solutions. Long term we plan on improving upon those solutions and adding an Astaro Security Linux (ASL v5) firewall appliance, which is what you would most likely want to be using. Unfortunately, its rather cost prohibitive (licensing runs from several hundred dollars to about $7000 depending on the amount of sessions and users (IPs)).

just wait for IPV6, i heared you can control it from the protocol itself where you wont be ddosed etc..

not sure how accurate this info is :)

IPV6 has been out for a long time now. And it can still be DDoS'd to the point where the tunnel will die and tunnelling provider will terminate the connection......

This is why he.net don't offer public tunnels anymore. They will only offer to there clients.

ipv6 is having about as much success as the latest version of unixware at this point. and yes, there are several ddos vectors which are not influenced by ipv6, especially given the fact that most opv6 stuff is handled in software as opposed to asic in current implementations.

paul

rackspace offers great ddos protection

how about you tell us what kind of ddos you are talking about? is it traffic-based, targetting a certain application, nailing a router, what? there are tons of ddos attack vectors and the appropriate solutions vary. if they are saturating your link, you will need to have your upstream filter the traffic. if they are syn flooding your box, something along the lines of openbsd's pf with well-tuned rules will work. if they are jackhammering apache, you will want to tune httpd.conf and run a shell script to automatically ACL the offending ips off. if they are nuking a router, your upstream will want to either stop using flow-based gear or control access to their management interfaces properly. you are not giving us enough information.

paul