Results 1 to 30 of 30
  1. #1

    Question Anti-DDoS Hardware Solutions

    Hi there,

    I've got a few servers in a rack at Redbus Interhouse II (UK), but they're getting DDoSed.

    I'm looking into hardware that can help stop the problem- the servers are all configured, APF for example with AntiDOS etc.


    Anyone had any experience with hardware AntiDDoS/security/firewall products, and any recommendations?



    Cheers!

  2. #2
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    I've always been a fan of Astaro for a more affordable solution. You should also check http://www.dos-attacks.com for some other reccomendations.

  3. #3
    Thanks, the site's really useful and Astaro looks like a very good solution.

    Many thanks!

  4. #4
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    Top Layer, Captus, CiscoGuard, Arbor Networks, Mazu Networks, Prolexic, Juniper, Foundry are all good bets.

    Others that can also be included in this list are tipping point and fortinet.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  5. #5
    Join Date
    Feb 2004
    Location
    Louisville, Kentucky
    Posts
    1,083
    Originally posted by Babushka99
    Top Layer, Captus, CiscoGuard, Arbor Networks, Mazu Networks, Prolexic, Juniper, Foundry are all good bets.
    I wouldn't call all these "good bets." DDoS-oriented products from the above vendors that I've used and am familar with all have their advantages and disadvantages. It's a complex and expensive problem to solve

    I think the best piece of advice that can be given with respect to DDoS mitigation products is do not pay for anything before you have it in production and are satisfied with the results. Don't trust the sales people, and don't write any checks until you think you're as happy as you're going to (or can afford to) get with your solution.
    Jeff at Innovative Network Concepts / 212-981-0607 x8579 / AIM: jeffsw6
    Expert IP network consultation and operation at affordable rates
    95th Percentile Explained Rate-Limiting on Cisco IOS switches

  6. #6
    Join Date
    Feb 2004
    Posts
    390
    Prolexic is not hardware, it's a service. If you want to go that route there's also ddosprotection.com, Dyad Security, etc.

  7. #7
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    Originally posted by jsw6
    I wouldn't call all these "good bets." DDoS-oriented products from the above vendors that I've used and am familar with all have their advantages and disadvantages. It's a complex and expensive problem to solve
    I bed to differ. If they (above) are not good bets - then I don't know what are! ...unless you have names for other alternatives for anti-DDoS security gear. The above list would probably constitute about 98% of the anti-dos market segment.

    From a pure Hardware perspective, a mix or even standalone of the above companies gear will VERY adequately protect you against DoS/DDoS.

    It may be a complex or expensive to solve it - but in many many instances it is solvable!

    Faisal
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  8. #8
    Riverguard,I heard it's good.

  9. #9
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    Riverguard is now CiscoGuard, it works best with Arbor's PeakFlow SP or CP to detect traffic anomolies and then mitigate it.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  10. #10
    Join Date
    Dec 2004
    Posts
    256
    yes, but he says he's got "a few servers at redbus". I think he's looking for something cost effective. Ciscoguard + peakflow will probably cost him more than his house.

    I'm surpised, nobody has come out with a software based solution (well, technically these are all software) but a freeware/software based solution? IE: Open source project.

  11. #11
    Join Date
    Dec 2002
    Location
    California
    Posts
    2,005
    Originally posted by seraph1
    yes, but he says he's got "a few servers at redbus". I think he's looking for something cost effective. Ciscoguard + peakflow will probably cost him more than his house.

    I'm surpised, nobody has come out with a software based solution (well, technically these are all software) but a freeware/software based solution? IE: Open source project.
    Anti DDOS is a big money maker right now. There's lots of money to be made, so I doubt we'll see a free solution any time soon.
    I wish all my traffic went through AS174.

  12. #12
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    You might not see a free solution anytime in the immediate future that allows server based, IP based or IP Block based settings that customers can themselves do, however, you will see an emerging market, where by a data-center would probably employ the same on its entire network and provide some form of overall protection and with an added (but small/affordable) cost be able to implement filters, mitigation techniques for its clients.

    Just FYI, the most DC level solutions would prolly run between $10,000-$20,000 per month on lease, compare that with say Prolexic's rates that offers 2MB clean pipe for US$ 5000/month. End users if they lease such equipment would probably run between US$5,000-$7,500/month.

    I think you will also see a mushroom growth of reverse-proxy based solutions to counter ddos. Whereby the incoming requests go to DDoS mitigation equipment, onto a RP server and then towards the actual source server.

    The market is definitely evolving.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  13. #13
    Join Date
    Dec 2004
    Posts
    256
    So I've always wondered then, is say, plopping a netscreen 500 into the network going to be enough, as long as the attack is < gigabit worth of traffic?

  14. #14
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    there is a lot you can do with a Netscreen device. Bandwidth is just ONE of the many components in a DoS/DDoS attack you have to look for, other two equally important ones are the incoming PPS (Packets Per Second) and what sort of handling your router is doing on these packets, and last but not the least, all time important is the setup rate - the number of sessions made in one second. Concurrent sessions is also another importnat variable/factor that comes into play.

    If the incoming setup rate is HIGHER than your firewall/ips, etc can take even though the bandwidth utilization may be 100Mbps, - it will bring your network down to its knees.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  15. #15
    Join Date
    Apr 2004
    Location
    London
    Posts
    390
    ixforres,

    Do you mind me asking who you currently host with?

    If your servers are being hit and your host isn't coping adequately with it you may wish to consider moving to someone who offers a more tailored service for this sort of thing.

    One of our upstreams, Kewlio.net, are rather stunning at coping with attacks and I'll personally vouch for their expertise in network management.

    Feel free to give me a shout if you have any questions about them.

    Kind regards,
    Kris
    Kris - nitrohosting.net
    Premium Dell Windows/Linux dedicated servers in London
    Great value shared hosting & ADSL.
    PM/Email for no-obligation quotes.

  16. #16
    Join Date
    Nov 2002
    Location
    Chicago IL
    Posts
    885
    Originally posted by seraph1
    yes, but he says he's got "a few servers at redbus". I think he's looking for something cost effective. Ciscoguard + peakflow will probably cost him more than his house.

    I'm surpised, nobody has come out with a software based solution (well, technically these are all software) but a freeware/software based solution? IE: Open source project.
    IPTABLES and openBSD's PF are both opensource and both can be used to stop attacks depending on the modules you use.

    A PC based Software solution can only go so far, the problem is with the hardware generic PC hardware cannot handle large amounts of PPS, all of the commercial devices that are worth have ASIC's programmed to handle specific functions which makes it able to handle large amounts of PPS.
    Last edited by ameen; 08-10-2005 at 01:53 PM.
    GigeNET
    Dedicated Servers + Cloud Servers + Colocation + DDOS Protection + IP Transit with FCP optimized routing
    Locations in Chicago Los Angeles and Ashburn

  17. #17
    Join Date
    Nov 2002
    Location
    Chicago IL
    Posts
    885
    Originally posted by seraph1
    So I've always wondered then, is say, plopping a netscreen 500 into the network going to be enough, as long as the attack is < gigabit worth of traffic?
    With attacks it is the amount of packets per second that attack is generating which is important , then the size, if you have a gig pipe and an attack is 500mb/s your fine there but if its 500k-600k pps your going to have issues if your routers cannot handle it and if your firewall cant handle it.
    GigeNET
    Dedicated Servers + Cloud Servers + Colocation + DDOS Protection + IP Transit with FCP optimized routing
    Locations in Chicago Los Angeles and Ashburn

  18. #18
    Join Date
    Nov 2002
    Location
    Chicago IL
    Posts
    885
    Originally posted by jsw6
    I wouldn't call all these &quot;good bets.&quot; DDoS-oriented products from the above vendors that I've used and am familar with all have their advantages and disadvantages. It's a complex and expensive problem to solve

    I think the best piece of advice that can be given with respect to DDoS mitigation products is do not pay for anything before you have it in production and are satisfied with the results. Don't trust the sales people, and don't write any checks until you think you're as happy as you're going to (or can afford to) get with your solution.
    Could not agree more, this has been our situation with a certain vendor for about a year. There is so many different attacks and anomalies even if they let you put it in production for say 60 days after about 6 months of random attacks your going to find a bug, going to find a hole, some misrepresentations in performace.
    GigeNET
    Dedicated Servers + Cloud Servers + Colocation + DDOS Protection + IP Transit with FCP optimized routing
    Locations in Chicago Los Angeles and Ashburn

  19. #19
    Join Date
    Dec 2004
    Posts
    256
    Originally posted by ameen
    IPTABLES and openBSD's PF are both opensource and both can be used to stop attacks depending on the modules you use.

    A PC based Software solution can only go so far, the problem is with the hardware generic PC hardware cannot handle large amounts of PPS, all of the commercial devices that are worth have ASIC's programmed to handle specific functions which makes it able to handle large amounts of PPS.
    have any links to these modules?

    And afaik, some guys experimenting with FBSD got it to route more packets than cisco's top of the line router (at the time last year) with nothing more than a Xeon box and a pci-x gigabit ethernet card (system was running a modified version of fbsd). Granted, I don't know that it was doing SPI, but it was definitely routing at line speed.

  20. #20
    Join Date
    Apr 2004
    Location
    London
    Posts
    390
    The big hoo-hah at that time was with the release of the new network stack in FreeBSD 5.3 which was demo'd routing 1mpps.

    Google for ipfastforward if you are interested in more info.

    EDIT: Just found a link to the paper:

    http://people.freebsd.org/~andre/Fre...Networking.pdf

    Kind regards,
    Kris
    Kris - nitrohosting.net
    Premium Dell Windows/Linux dedicated servers in London
    Great value shared hosting & ADSL.
    PM/Email for no-obligation quotes.

  21. #21
    Your refering to PacketOS, from TowardEX technologies. James Jung is on the board here from time to time. He's very well informed about PC based routers.

  22. #22
    Join Date
    Nov 2002
    Location
    Chicago IL
    Posts
    885
    Originally posted by nitrohosting
    The big hoo-hah at that time was with the release of the new network stack in FreeBSD 5.3 which was demo'd routing 1mpps.

    Google for ipfastforward if you are interested in more info.

    EDIT: Just found a link to the paper:

    http://people.freebsd.org/~andre/Fre...Networking.pdf

    Kind regards,
    Kris
    Yah it has come along way in 5.x with the network stack, 1mpps is a leap in the amount pc routers have done in the past but no where near the capacity of a juniper or high end cisco can do. Load up the the routing tables with full routes from a few providers and you'll most likely see a big hit on performance on the 1mpps.

    Also, an SMP box will decrease performance as far as packet forwarding goes.

    Alot of the commercial ddos protection devices are based off either bsd or linux, and they are coupled with programmed ASIC's. A PC CPU is meant to be for general purpose use. Better written drivers for the cards, smarter forwarding engines, hardware polling will increase the performance but there will always be the IRQ problem.

    If people are actually going to believe your going to get better efficiency and better performance from an x86 box then an ASIC (Application-Specific Integrated Circuit) specificaly designed to do one thing - route packets -. Then you obviously do not know what your talking about.


    Seraph1, one example is openbsd's synproxy built into PF to answer your question, if you'd like more examples im sure google will be of great assistance.

    We use alot of inhouse x86 based stuff, they do work and i'm in no way downplaying the usefulness, cost effectiveness of it. But if you have the $ to purchase hardware designed specific to one task then you'd be dumb not too, especially if one of them can replace a cluster of 6 software routers and outperform it by 3-4x's as much.
    Last edited by ameen; 08-11-2005 at 03:12 AM.
    GigeNET
    Dedicated Servers + Cloud Servers + Colocation + DDOS Protection + IP Transit with FCP optimized routing
    Locations in Chicago Los Angeles and Ashburn

  23. #23
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Has anyone used the XSentry Trustix firewall, and will this prevent DDoS attacks?

    http://xsentry.trustix.com/
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  24. #24
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    We personally tried this appliance - about a year or so back. Wasn't all that it claimed. I believe Tolly Group even had a comparision for this with other OEMs, but can't be 100% if the report was done by Tolley Group or someone else. The "external" attack threat mitigation leaves a lot to be desired. But like I said this was a year ago and in our unique environment, your mileage could very well vary!
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  25. #25
    Join Date
    Jul 2002
    Location
    Florida
    Posts
    285
    Just started using Arbor peakflow tonite and its everything its cracked up to be and more. however the $130k pricetag may be a bit much for most. Its really a network wide solution, not a server firewall
    Mark

  26. #26
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    XiON which Arbor solution are you working with? TR or CP? Arbor essentially needs a mitigator to work with best, like Cisco's RiverGuard, etc. Itself Arbor probably does the best job of detecting traffic anomalies and recommend the filter action to be implemented.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  27. #27
    Originally posted by mj4589
    Prolexic is not hardware, it's a service. If you want to go that route there's also ddosprotection.com, Dyad Security, etc.

    FYI, Dyad Security is also a reseller of Prolexic.

  28. #28
    Originally posted by Babushka99
    Top Layer, Captus, CiscoGuard, Arbor Networks, Mazu Networks, Prolexic, Juniper, Foundry are all good bets.

    Others that can also be included in this list are tipping point and fortinet.

    Please also note that the list above is a combination of products (hardware designed for the datacentre, and not always an individual/company with several servers) and services, which are very different. 'Products' are normally desined to handle a specific task, or are especially good at one function (e.g. Top Layer -> SYN flood). Services typically implement several of the 'products' to provide a multi-layered solution (e.g. SYN flood, GET flood and more) and add other features such as content caching, content distribution, TCP connection acceleration etc.

    Unless properly implemented and managed, 'products' on their own may not resolve your DoS issue completely, and may not be effective at all if located in the wrong place.

    I'm not dismissing any products here - all have their place when implemented correctly.

    And finally, as mentioned elsewhere in this thread, the dos-attacks website is a great independent review of most DDoS stuff (great new design, btw, Faisal!)

  29. #29
    Join Date
    Apr 2004
    Location
    SF Bay Area
    Posts
    877
    Originally posted by Babushka99
    Top Layer, Captus, CiscoGuard, Arbor Networks, Mazu Networks, Prolexic, Juniper, Foundry are all good bets.

    Others that can also be included in this list are tipping point and fortinet.
    I don't want to speak out of turn here but I believe Captus has long been out of business. Their web site is still up, but that's about all you can say for them. Their office was once relatively local to me and it was shuttered at least 1.5-2 years ago after they blew through their last round of funding.

  30. #30
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    747
    You know - I have a mute viewpoint, but a viewpoint nonetheless.

    For "most" people who are experiencing DoS/DDoS attacks, even a Netscreen 25/50 appliance will take care of it - I'm talking where the setup rates are low, and not going over 8-10Mbps (95th percentile).

    For others - for example Host Providers (not data centers, lets not go there yet), the problem becomes a little complex. Implementing an out-of-a-box solution requires constant fine-tuning. Tune it wrong and you could very well start affecting other websites hosted on your small server farm. Tune it less generously, and spill-over effect from the DoS'd site start to hamper network access to other users. Most of these devices work GREAT if you have a small server farm, or a few websites, but it may not be very economical trying to implement them.

    Bring in the equation of a data-center and you most often run into trouble. It is this "trouble" that very few providers can fine-tune and optimize (folks like GigeServer and Staminus have done).

    Devices like TopLayer and Mazu run into trouble because of their limited space addressing, TopLayer for exmaple can only address 64 named clients - if you have a couple of hundred servers, addressing policies on a TL box can be a daunting task.

    Thus many people find it easier to opt for host that offer vanilla coverage for dos/ddos protection or opt for companies like Prolexic or GiGe/Staminus as the costs are much lower. I guess it all depends on your attack traffic, your revenue streams and what the client means to you.

    Faisal
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •