New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The problem there is then advertised numbers mean very little.
E.g. let's say advertising in that manner is OK and cogent accepts flowspec rules or has some other configurable way of doing filtering. I don't use cogent so I don't know if this actually exists.
Now a singlehomed cogent provider can advertise 227Tbps DDoS mitigation, since cogent has that capacity. But realistically they won't get close to that.
I don’t know of a single Tier 1 that accepts pure FlowSpec from the Customer.
From what I see those are typical port and fiber specs and are almost certainly not even close to real bandwidth. Also note the somewhat meager bandwith to the FRA and LON IXs (which is a quite good indicator).
That. Plus flowspec can be "abused" for DDOS mitigation but it's not good at it, at least not for larger and/or complex attacks.
BGP flowspec can also be really expensive to execute. I know of one network that tried to implement it and ended up on largely all software paths through the router.
but but but nforce?
It can be implemented right however and with the right gear offers excellent heavy lifting capabilities right at the edge of the network.
something very strange and very polite is going on here.
@Clouvider What gear can execute full BGP flowspec without falling through hardware acceleration to software routing?
Hardware acceleration is very important for most edge routers as it's not bit volume that poses the most difficulty to mitigate these days - typically it's throughput (PPS).
FYI Unfortunately Skypes purged that conversation I had with them from the chat history. I do know they run some MX480's not sure if thats where they were attempting to execute the filters however.
The answer to how it's possible to filter 980 Gbps was already covered in this thread by the members.
It's obviously not cheap but not so hard in NL to have access to high bandwidth for filtering DDoS attacks. Also when launching services in new locations like China, West Europe and soon USA the available banwdwidth to filter attacks will grow day by day. However you should note that just by having access to the bandwidth isn't good enough to stop the attacks.
Even if volumetric attacks can be handled, there are many attacks on the applicational layer 7 aiming to take down UDP applications (e.g. TeamSpeak) or TCP (e.g. HTTP) using low bandwidth.
BlazingFast has proprietary solutions, developped by our engineers and running on custom hardware that can handle both high bandwidths and high packes per second, scrubbing the "dirty" bandwidth. As we have our own scrubbing system and methods, currently BlazingFast does not buy scrubbing from any other company.
However we sell anti-DDoS tunnels over GRE or IP-IP to protect servers hosted with any provider that wish to have additional protection and handle higher bandwidth attacks:
Let's say a Customer has a 1, 10 or even 40 Gbps server hosted with provider "A" and wishes to have additional protection. We can protect the customer from those high bandwidth or applicational attacks without the need for the Customer to build an own complex solution or expensive bandwidth that he would never need, except when receiving high bandwidth DDoS attacks.
We trust our protection is very well positioned, when compared to our competitors. That's why BlazingFast keeps growing and has customers moving every day from the said "big companies" that have WAF systems easily bypassed by attackers and provide us a good feedback after moving to us.
It wasn't really though. A few people (including myself) speculated; but the conclusion was either
1) you have the uplink capacity and filter yourself
2) you don't have the uplink capacity and upstream applies your filters
You've said before you don't use anyone elses protection, but some posters have inferred you don't have 1tbps transit. Both can't be correct surely. My assumption would be upstreams are applying your filters before your network which is how you can reach such a level of protection -- but this is something you've already denied?
As you all know, all the techniques covered during this post that imply flowspec and similar technologies aren't true "scrubbing". If you have let's say 200 Gbps against port "xxxx" and you ask your upstream to simply apply "filters" on port "xxxx", legitimate clients would be dropped together with the "dirty" bandwidth.
As we have our own technologies, to apply them and clean malicious traffic we need to receive all traffic (good+bad) so we can filter the bad, thus we need to have capacity to filter ourselves and 1) applies.
I think we'll have an answer when some day a real and massive DDOS against blazingfast.io is performed.
My guess: They'll break about as fast as you can say "DDOS". Reason: Based on blazingshost.io's very vague statements I see absolutely no reason to believe that they could do what many bigger companies failed to do. My take is that they have built some home-made solution that will break once an attack goes beyond maybe 50, maybe 80 Gb/s.
We'll see. Or we'll finally get some tangible and credible info from them. I don't hold my breath however.
So, from what I see it's a clear STAY AWAY!