ddos mitigation

Unanswered Question
Feb 18th, 2010
User Badges:
  • Blue, 1500 points or more

Hi,


I need advice regarding implementing ddos mitigation at the distribution layer.


Internet

|

WAN Links

|

Routers

|

Switches

|

Firewall per Server Farm

|

Server Farm


I'm thinking if implementing ddos mitigation at the switch using Cisco Catalyst 6500 with Cisco Anomaly Guard Module and Cisco Traffic Anomaly Detector Module will be a good start?


Appreciate your ddos mitigation expert advice.


TIA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 02/19/2010 - 09:54
User Badges:
  • Cisco Employee,

I think the best choice would be to apply it as close to the WAN as possible. So I guess the edge router or switch are the best.


Anomaly detector device can help with learning your traffic and being able to think when there is anomaly that might be an attack.


At the same time, cisco routers can do some attack mitigation like tcp intercept (making sure hosts exist before finish the connections), limit amount of connections up to specific limits etc.


I hope it helps.


PK

Danilo Dy Sun, 02/21/2010 - 18:37
User Badges:
  • Blue, 1500 points or more

Hi PK,


Thank you for your reply. I initially choose the distribution switch as to also protect from internal DDOS from other connections to the switch.


Does the switch model and modules are good? someone told me there is a replacement for those modules I mentioned.


Btw, the WAN link should be able to sustain the DDOS right? What is the theoritical bandwidth size (incoming - assuming DDOS is from external) to sustain a DDOS attack?


TIA

Panos Kampanakis Mon, 02/22/2010 - 06:31
User Badges:
  • Cisco Employee,

"the WAN link should be able to sustain the DDOS right?" Not sure what you mean here.

The WAN link has a bandwidth, if someone sends too much traffic to oversubscribe that link it will be oversubscribed.


"protect from internal DDOS from other connections to the switch"

Also not sure what you mean. You can limit who connects to the switch, so that can be done also. Also Dos mitigation can also be done outbound.


The Anomaly modules have been out for some time and the truth is that they arte phased out slowly.

There are other option like FWSM firewall module you can also evaluate.


I hope it helps.


PK

Actions

This Discussion