DDOS protection

Printable View

05-14-2008, 01:43 PM
_hap_

DDOS protection

Many members here work in production environments and this question is for you. What are you using for DDOS prevention/protection for you public facing web servers? Open source or commercial. Checkpoint is just not cutting it and we are urgently looking for reasonable alternatives.

Any suggestions?

Edit: looks like Dragon IPS might be the ticket!
05-14-2008, 07:33 PM
imported_anubis2k7

A seperate external hardware based firewall appliance?
05-14-2008, 08:57 PM
c0dak

I work as a security engineer at a decent sized unmanaged hosting provider with 8 data centers and approximately 50,000 servers, so I handle a good amount of the Checkpoint configurations for a majority of our clients(somewhere around 1100). First let me say I really like Checkpoint but at the same time I do understand your problem. I am guessing your using one of the smaller solutions like a X16 or a XU. For starters a firewall is in no way an answer for DDoS attacks. And any firewall if you hit it with enough traffic, even traffic it is rejecting or dropping will eventually be crippled. That being said from what I have seen Checkpoint can in no way live up to the numbers that it says it is capable of. At the same time though let me say I don't know your situation, every situation is different, and quite possibly there is a better solution that taking this on yourself. At my work we offer CiscoR Guard XT 5650 DDoS Mitigation Appliance from Cisco Systems, Tipping Point, Arbor Peakflow,Real Secure Sensors and a host of other solutions to provide the DoS and intrusion detection and mitigration solutions.
05-15-2008, 06:47 PM
hhmatt

I always found this to be an interesting subject. Not the DDoS itself but the prevention measures and what to do when you come under attack. It seems like a difficult task to become invulnerable to such an attack.
05-16-2008, 03:44 PM
c0dak

Your right and to be honest the only real answer is bigger servers with more RAM. And maybe backbone blocking from your edge provider if you can narrow down the attack to a certain region that you don't really need to allow access to your sites. Every situation is truly different.
05-16-2008, 06:44 PM
shamanvirtuel

im agree with you codak , there's few solutions ......

are you aware of cisco guard ?

http://www.cisco.com/web/about/cisco...uard_Print.pdf

if not you may be interested...
05-17-2008, 04:17 PM
c0dak

Yep thats actually exactly what we use.

I've never seen that pdf though. That will be useful for work. Thank you

I refrained from saying were I worked so as to not make Checkpoint upset. I do like there firewalls but they offer little in the way of stopping a full-scale DDoS attack and typically end up being the first single point of failure in this type of situation.
05-28-2008, 01:18 PM
_hap_

I should have mentioned that we do have Cisco guard in place.. It’s just everything’s so manual when it comes to a ddos attack and I’ve seen all kinds from port 80 attacks using dns packets at 1500 too heavy udp floods at very minute packet sizes all coming from the same net block (which makes it so much easier to block)

Manually applying filters in guard dropped traffic from 1Gbps to 30Mbps. But it’s all a manual venture that somehow always seems to start right as your trying to leave for the day.