(09-15-2014, 08:21 PM)Me.B Wrote: DDOS should be mitigated mostly at routers and upstream not at servers level as even if you keep dropping packets you will be receiving so much data that your upstream will be dead.
If you have a 100 MB/S uplink and you get a 1GB/s attack wich gets common with NTP amplification you will off so quickly even if you drop ALL the packets or the attack port is closed.
If you want DDOS use an ISP that have such protection.
M B
For those of you who live in a fantasy world and have high level ISPs that will do this for you, that's great. For the rest of us in lower end colo's and with tier C ISP's who are small businesses who don't have million dollar budgets, this is not a practical solution.
I called my colo and they did nothing. And that is the case for most everyone else who doesn't have tier A Verizon service. The reality in this world is that you have to solve your own problems because your ISP won't do it for you.
I don't care how big the attack is. They attacked me at 10GB/s and I still survived it and the firewall successfully blocked it. All the firewall has to do is immediately shut down and drop the packets to free up the circuit. Yes, you will run slower during the attack but nothing is going offline.
It is amazing that there is so much mis-information about DDOS attacks out there. THEY CAN BE STOPPED WITH THE RIGHT FIREWALLS.
