Skip to content

Instantly share code, notes, and snippets.

@jfryman

jfryman/ddos.md

Created Dec 1, 2014
Embed
What would you like to do?

One thing I wanted to ask, given your exprience in DDoS attacks. We are putting in place a DDoS mitigation strategy and finding a wide variability in pricing from different vendors.

Near as I can tell, the difference between the low end like CloudFlare's $200/mth plan and the $5K-$10K/mth vendors like Prolexic is the support offered for a layer 7 attack. Is that a reasonable summary?

It seems like all vendors offer a reasonable level of layer 3-4 filtering but that if there's a layer 7 attack the high end vendors have the sophisticated tools and methodology to help the customer figure out how to mitigate the attack.

If this perspective is reasonable, how susceptible you think a product like XXX is to a layer 7 attack? I'd hate to buy insurance we don't really need.

The difference is a lot in integration. CloudFlare is only really a CDN at the heart of it, so what you're paying for is that with some DDoS stuff built in. If an attacker gets wind of this, and finds out your origin and decides to come at you that way... you'll be back in the same boat. So, if you only have HTTP/HTTPS traffic, then CloudFlare will actually get you most of the way.

Prolexic on the other hand is a full network scrub. They actually take all of your global traffic and assume control of your ASN via BGP, scrub all of the traffic with their kit, and backhaul it to you over a GRE tunnel. The integration here is much deeper at a network level, so you can protect non-HTTP traffic. At YYY, we also had to protect our SSH/git ports on top of our HTTPS traffic, so having something that operated at a deeper network level was a must for us. If you're doing anything more than HTTP/HTTPS, you'll probably need this too.

A quick note on L7... there is really only one company competing in this space (today) and that's RadWare. They're an on-prem solution, and do some interesting tricks to actually clean L7 as opposed to do Challenge/Response tarpitting (effective, but not really L7 protection from CloudFlare). That being said, I had two really long conversations with the folks who implemented DDoS protection at Twitter and eTrade and they both told me it's early for L7... for both the attacker and the protector. As long as the targets able to extract $$ are vulnerable to L3/L4 attacks... why would they step up the stack? Both groups have RadWare as a L7 cleaner, but ultimately fall back to Prolexic when the big volumetric attacks come their way.

Both of these folks are going to offer you what you really need... the ability to be a tank in terms of network consumption that will not clog your own pipes. That's the real killer.

I'm not going to recommend you one way or the other, but I hope this is some good data. DDoSes suck - just flat out. Make sure you have something today that will cover you through L4, and keep an eye on the space. It'll be soon that L7 will be a necessity, but today it's optional.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.