Originally posted by Imago Software and hardware solutions can only mitigate (ACLs/filters) the effect of, but not prevent DDoS attack. FloodGuard used to be free, now one can get it for $10 mo if on the TP network.
But I'm on colo, so any software solutions available?
You're going to need a provider that is able to handle your DDoS (perhaps ask your current provider). There are no software solutions that will effectively handle the problem as the trouble with DDoS roots back to either full out bandwidth saturation and/or the inability of your ethernet port to handle the frames.
Originally posted by datums There is no solution to stopping a DDoS.
As someone mentioned you should find out how your provider usually deals with DDoS. Are they proactive (monitor traffic patterns) or reactive (pull the plug) ?
Fortunately we did not reach a large-scale DDoS flooding our uplink yet, or the attack was not large enough as it was mitigated by our firewall.
NOC will monitor the traffic and if it reach a certain level, they will give us a call then pull our plug.
It depends what kind of firewall you're using. Sure, if its not robust or "smart" enough, its not going to notice your attack. Expect to spend a cool $12,000 on a decent hardware solution (upwards to $40,000 for something a bit nicer).
Originally posted by server4sale Flood Guard at TP wont hold Bigger attacks...
Flood Guard provides some protection from DOS/DDOS. There's no point in stopping the packets once they've gone through your port, but if your upstream provider (The Planet in this case) will do it for you (before they reach your port), go with it. Odds are, The Planet's network could take a really, really big hit before it would go down.
Right now we lease the right to use some equipment that Limelight has on their network currently in addition to some custom engineered solutions. Long term we plan on improving upon those solutions and adding an Astaro Security Linux (ASL v5) firewall appliance, which is what you would most likely want to be using. Unfortunately, its rather cost prohibitive (licensing runs from several hundred dollars to about $7000 depending on the amount of sessions and users (IPs)).
ipv6 is having about as much success as the latest version of unixware at this point. and yes, there are several ddos vectors which are not influenced by ipv6, especially given the fact that most opv6 stuff is handled in software as opposed to asic in current implementations.
how about you tell us what kind of ddos you are talking about? is it traffic-based, targetting a certain application, nailing a router, what? there are tons of ddos attack vectors and the appropriate solutions vary. if they are saturating your link, you will need to have your upstream filter the traffic. if they are syn flooding your box, something along the lines of openbsd's pf with well-tuned rules will work. if they are jackhammering apache, you will want to tune httpd.conf and run a shell script to automatically ACL the offending ips off. if they are nuking a router, your upstream will want to either stop using flow-based gear or control access to their management interfaces properly. you are not giving us enough information.