RE: DDOS - How much is "too much"?

["Fouant, Stefan" <Stefan.Fouant () neustar biz>]

> -----Original Message-----
> From: Tuc at T-B-O-H [mailto:ml () t-b-o-h net]
> Subject: DDOS - How much is "too much"?
>
>       Maybe I've been out of the running my larger Managed Server
> Hosting Company too long, but wasn't the "non-elegant" solutions
> something ISPs just "did"? Was it only DoS, and when it comes to
> DDoS they tell you its just too much to handle. And blocking how many
> netblocks does an ISP consider "too many" before it tells the client
> there is only so much it can do for them? Do people tell/give clients

In my experience developing DDoS Mitigation and Detection products for
Verizon, I believe the typical scenario is that most Service Providers
will implement ACLs or rate-limits on their edge and/or implement some
form of Real-Time Blackhole routing for small DoS attacks in which the
number of sources is fairly small.  I'm not sure there is a particular
"number" that ISP's would consider "too many" before it suggests moving
to a more purpose-built solution, but the general rule of thumb is that
if there are a large number of distributed sources and if source-address
spoofing is employed, it's much akin to hitting a moving target and the
above-mentioned techniques will largely be ineffective.  Furthermore,
filtering techniques such as this may have the unintended consequence of
causing a denial of legitimate service.

> 3 against, and what I felt was a fair market value for this. I just
> need
> to know if people still did that type of stuff for each other or if
> everything costs nowadays....

Yep, pretty much everything costs nowadays.  With IP being the commodity
that it is, Service Providers are continually looking at every angle to
monetize the network and the services they offer.

Stefan Fouant: NeuStar, Inc.
Principal Network Engineer 
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant () neustar biz [ W ] www.neustar.biz