hardware antiddos solution

Question

We have three servers on colo in datacenter for hi-load e-commerce web project connected via cisco catalyst 2960. We need to make antiddos system with hardware firewall, CISCO Guard etc. CISCO Guard is out of the date and no longer being sold and might not be supported by vendor. What hardware solution would fit us?

Answer 1

If it's a true DDOS, you're going to need to get your ISP to drop the traffic on the backbone. By the time it's hitting the firewall in your rack in the colo, it's already consumed resources. Sure, dropping the traffic before fulfilling the request reduces the impact, but it will not prevent a real DDOS.

Answer 2

I'm always dubious of "Hardware DDoS Protection" appliances. Mostly because if they're just dropping traffic, then you could do that yourself with a server running pfsense (which would cost you nothing other than the server hardware).

If what you're looking for is an appliance to detect the source of the traffic, then that's a sorta different question.

There's loads of different options for this kind of thing. Brocade ADX immediately springs to mind, but I'm certain that other vendors also offer similar boxes.

There's a neat slideshare here about suggestions for choosing a DDoS mitigation platform.

You'll actually have to make your own decisions about which product to buy, and which pathway to go down, or hire a consultancy who are specialists in DDoS mitigation, and let them do the hard work for you.

What MDMarra says has a lot of truth in it too.. If it's a true DDoS and your link is entirely saturated by inbound traffic, then the only option is to ask your upstream provider to blackhole it, even if you dropped packets infinitely fast on your edge, you'd still be inaccessible from the outside.