Answer the question
In order to leave comments, you need to log in
How to protect servers from DDoS with Cisco?
Hello!
There are several dozens of servers in two racks to which about 10 Gbps are connected in total, with the possibility of expanding up to 40-50 Gbps. Periodically, attacks of several gigabits or more “come” and I clog the channel. To combat attacks, an external service is used, which helps, but you have to change IP addresses. Those. when an attack occurs, all sites change their IP addresses to special protected ones, which are provided by the company from which this service is purchased. And on the attacked IP addresses in the network equipment, traffic is cut by 100%. But this scheme has a significant drawback for us - it takes time to change IP in DNS and time to update DNS.
We want to make a scheme with protection using Cisco (or some other) network equipment inside the DC, so as not to use this external service and not change IP.
Tell me, please, is this possible and, if so, in which direction to dig? Where can I find a consultant on this issue?
Answer the question
In order to leave comments, you need to log in
Cisco has its own solutions for dealing with DDoS, it is logical to ask the Cisco itself.
There are a lot of types and types of DDoS, the first thing you need for any is a very fat incoming channel so that it does not die and you can drive traffic to collectors for analysis, if there is a channel further, get in touch with Aruba or Radware, read on their websites, look at the reviews - these are the most famous market players, the cisco also has its own developments, but in terms of price / efficiency ratio, in my opinion, it is not the best option.
I believe that before buying new devices, it is highly desirable to optimize the infrastructure in order to increase its reliability. Therefore, in the comment I will touch on other topics, not only anti-DDoS solutions.
There are several dozen servers in two racks to which about 10 Gbps are connected in totalWhat does about 10 Gbps mean? Are you using 10-gigabit links or multi-gigabit aggregation? For some reasons, the first option is preferable.
Periodically, attacks of several gigabits or more “come” and I clog the channel.How do you know traffic intensity? You need to understand that if garbage traffic is UDP or TCP segments without establishing a session, then it is quite possible that 10-20 gigabits / s of traffic addressed to you comes to your provider, and only part of it reaches you. If possible, request statistics (netflow data) from the hosting provider.
We want to make a scheme with protection using Cisco (or some other) network equipment inside the DC, so as not to use this external service and not change IP.Concerning the equipment of Cisco. Cisco Systems had a Clean Pipes solution designed to counter DDoS attacks. It consisted of two components - an anomaly detector (Cisco Traffic Anomaly Detector, used optionally) and a filtering device itself (Cisco Anomaly Guard). Both devices have an End-of-life status. Further, together with Arbor Networks, the Clean Pipes 2.0 architecture was developed, where, as far as I know, the main work was performed by the Arbor Peakflow TMS (threat management solution) device. I do not know about the existence of a modern device under the Cisco Systems brand, designed to counteract DDoS attacks.
Tell me, please, is this possible and, if so, in which direction to dig?First, decide why you are doing this. If garbage traffic to the client leads to the inaccessibility of your network (ie, to the complete utilization of the link), then this is one thing. In this case, BGP blackhole (RTBH, remotely triggered blackhole filtering) will help you, dropping all traffic to the client. Effectively, the client host will be unreachable (i.e. DoS attack succeeded, denial of service reached), but junk traffic will be dropped on the ISP's equipment without affecting the health of your network. In my opinion, it is necessary to have a tuned RTBH. To do this, you can use, for example, a software BGP client, such as exabgp or quagga.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question