Hello to all!
The sites of our users, and our services, are constantly undergoing DDOS attacks. All this time we are working in semi-manual mode on each problem, but attacks are becoming more and more difficult and more frequent, and to further repel attacks, we need artillery of a different level.
Over the past year we have studied in detail the issue of DDOS attack protection. This post is about how we were looking for a reliable, effective and convenient out-of-the-box solution.
')
Like all curious people, we began by studying the market for existing security devices. We have chosen the main, most famous manufacturers:
How we chose
We are not the backbone providers and we didn’t want to waste time digging through hundreds of DDOS protection parameters, so one of the most important qualities was simplicity in configuration and management.
In addition, we need high quality filtering. Needless to say, the quality of the sites directly depends on this, and in general, this is the main task of the device.
We contacted representatives of development companies in Russia, described our tasks and requested test samples. We do not have any problems with “necessary” traffic - DDOS “comes” to us every day in one form or another.
Arbor is the first thing we turn our attention to. At the beginning of the year at one of the international conferences, we received a charge of marketing data on their section. At first glance, everything looked too beautiful =), let's see what happens next.
Just at that time, they had
Pravail product for the corporate segment (before that there was only Peakflow for the backbone level providers). It was exactly what we needed.
In April,
Kirill Kasavchenko came to us, who works with clients at EMEA, showed Peakflow to us in action (which strengthened our opinion about the redundancy of the system for us), told us a lot of interesting things about DDOS attacks and we parted waiting for the Pravail test.
Two months later he arrived! In fact, this is Intel's 2U chassis with tricky bolts, curious of course, but we will not break anything.
Immediately taken to the data center, screwed, hooked up, raised the IP and it all worked. In our system, there is a server (Protos), where we protect users from attacks by their own methods, there is always parasitic traffic, or rather there was, before we prevented all server traffic through Pravail. Works!
To protect systems, groups are created to which the relevant rules apply and that's all. It remains only to follow the charts. There is a typical setting and a bit more detailed, but as a rule, basic values ​​are enough for work. We tested his work on one of our DNS servers, on MX and of course the web. We were satisfied with his work on all services.
Perhaps the most important disadvantage is the price. Pravail dear, Peakflow - cosmically dear (almost like Curiosity =).
The system that was sent to us consisted of three devices:
ADS 6000 (actually the protection module itself), ADS-M1600 (control device) and NTA-2000 (analyzer).
Three people from China and two from Moscow (not translators) came with three devices. Here the first suspicions began to creep in.
We met at the data center on the morning of May 16, exchanged greetings and went to do the installation of the equipment. Before installation - a brief rally took place, where we drew a wiring diagram, agreed on the details and went to the hall.
First we decided to make the usual simple protection scheme, nothing special:
After three hours of hard work, our friends from behind the Great Wall began to sit down on batteries, and the charge turned out to be one for three. Two hours later they connected their colleague "from there" and our guests became six.
As a result, 6 hours after various manipulations with optical modules (they are all with themselves =) and flashing of iron with different firmware, the lights flashed as it should and the circuit still went up. I was embarrassed only by the Chinese flag on the front of the case. But against the background of the first victory - these thoughts went away.
Hooray. In the office, tune in and enjoy the results!
In the office. It's time to get to know the interface face to face. Sucks. Some windows with text in Chinese. The graphics are terrible. Half an hour later, I wanted to finish everything, but out of respect (solidarity?), We carefully studied all aspects of this system. Before the analysis of traffic it never came. Also experience.
The first impression is the most important, we understand it - they are apparently not.
A smile of
horror of joy on my face - everything will be fine!
Honestly, I do not understand why he looks at me like that, hungry can.
The next day we removed all the equipment and sent it back.
The perimeter came to us as an HP 1U server on two opteron, it is a
shame to be honest - we couldn’t even understand its interface, so the more or less detailed story will not work. According to rumors - Peakflow, rewritten by "our" programmers, is also used in RT.
We were sent a fairly powerful device DefensePro 12412 (comparison
here ).
It is so severe that we could not even guess what is inside there. Installation and connection to our system went without problems.
To manage the device, you need to deploy a virtual machine to VMWare through which access is provided. At the time of testing, the ability to work with the device was only through a Java client (
APsolute Vision ).
It seems everything is fine, but when we started to deal with its interface, it became bad =) And it’s not even the number of settings, which, due to the functions and functions of the device, turned out to be a lot - the speed of the control interface. He was ooooochen slow. When switching between sections, you could pour yourself some coffee, then there was a lot of coffee.
In addition, the interface is constantly falling off for some mythical timeouts and, unfortunately, was not at all beautiful. Even the specialists from Moscow and Tel Aviv who arrived to us for help were amazed at the brakes of “our” system, agreed that it should be updated and we had the “wrong” VMWare image, but it didn’t matter much.
Conclusion
We will not talk about what is worse or better; we made a decision for ourselves. And the conclusions do only you.