BGP Blackhole
habrahabr.ru/post/211176

Cisco has its own solutions for dealing with DDoS, it is logical to ask the Cisco itself.

There are a lot of types and types of DDoS, the first thing you need for any is a very fat incoming channel so that it does not die and you can drive traffic to collectors for analysis, if there is a channel further, get in touch with Aruba or Radware, read on their websites, look at the reviews - these are the most famous market players, the cisco also has its own developments, but in terms of price / efficiency ratio, in my opinion, it is not the best option.

I believe that before buying new devices, it is highly desirable to optimize the infrastructure in order to increase its reliability. Therefore, in the comment I will touch on other topics, not only anti-DDoS solutions.

There are several dozen servers in two racks to which about 10 Gbps are connected in total

What does about 10 Gbps mean? Are you using 10-gigabit links or multi-gigabit aggregation? For some reasons, the first option is preferable.

Periodically, attacks of several gigabits or more “come” and I clog the channel.

How do you know traffic intensity? You need to understand that if garbage traffic is UDP or TCP segments without establishing a session, then it is quite possible that 10-20 gigabits / s of traffic addressed to you comes to your provider, and only part of it reaches you. If possible, request statistics (netflow data) from the hosting provider.

We want to make a scheme with protection using Cisco (or some other) network equipment inside the DC, so as not to use this external service and not change IP.

Concerning the equipment of Cisco. Cisco Systems had a Clean Pipes solution designed to counter DDoS attacks. It consisted of two components - an anomaly detector (Cisco Traffic Anomaly Detector, used optionally) and a filtering device itself (Cisco Anomaly Guard). Both devices have an End-of-life status. Further, together with Arbor Networks, the Clean Pipes 2.0 architecture was developed, where, as far as I know, the main work was performed by the Arbor Peakflow TMS (threat management solution) device. I do not know about the existence of a modern device under the Cisco Systems brand, designed to counteract DDoS attacks.

Tell me, please, is this possible and, if so, in which direction to dig?

First, decide why you are doing this. If garbage traffic to the client leads to the inaccessibility of your network (ie, to the complete utilization of the link), then this is one thing. In this case, BGP blackhole (RTBH, remotely triggered blackhole filtering) will help you, dropping all traffic to the client. Effectively, the client host will be unreachable (i.e. DoS attack succeeded, denial of service reached), but junk traffic will be dropped on the ISP's equipment without affecting the health of your network. In my opinion, it is necessary to have a tuned RTBH. To do this, you can use, for example, a software BGP client, such as exabgp or quagga.
If you plan to filter client traffic (i.e. discard junk traffic and let through "useful" traffic, whatever that means), then RTBH won't work. Possible options (with which I worked or which I observed) of hardware solutions - a well-configured server under Linux / * BSD with Intel cards (cheap, flexible, many nuances), Juniper SRX of suitable power (expensive, it completely protects against some attacks, but, in my opinion, a specialized solution is preferable), Arbor Peakflow TMS (expensive, beautiful interface, I generally liked working with it), Perimeter from MFI-Soft (it works, but not without nuances).
In addition to the device itself or an external service, as I already mentioned, you should, in my opinion, make sure that:
1) the network is under comprehensive monitoring
2) there is either a separate (management) network for management, or QoS settings on the links that reserve the bandwidth for traffic of management systems.
3) CPU protection of network devices is configured (Control plane protection policy in the cisco world)
4) there are no other bottlenecks (for example, ECMP in one form or another, aggregation of two links of 1 gigabit / s does not in all cases give a throughput of 2 gigabits/s)
Summing up, I will say that the problem of network stability in general and protection against DDoS attacks in particular is complex, and it should be solved accordingly.