People who haven't worked in hosting don't realize that not only is the gear $100,000+, the administrators that understand it are just as expensive. Annually. (Mitigation is a relatively rare skill for network administrators.)
Edit: Let's say you run Joe's Web Hosting. Joe's has three facilities, and you run redundant ten gigabit uplinks at each. Last I priced a device that could handle ten gigabit at line rate, it was ~$120,000, so figure:
$120,000 x 2 uplinks x 3 facilities = $720,000
Just for the gear.
(I honestly don't remember if that figure was for the gigabit device or the ten gigabit device. I think the ten.)
your example is pointless as no actual datacenter actually pays their equipment vendor anywhere near list price for those devices. i certainly don't.
network equipment vendors like to have high list prices in order to:
- ensure they get sales inquiries from serious buyers;
- give sales representatives a large amount of leverage when negotiating the actual line-item pricing for each purchase order;
- promote some kind of enhanced "value" to executives ("it costs a lot of money, so it must be good!")
a realistic price for two routers with two 10gig-e linecards is about $15,000-$25,000 per unit direct from brocade. cisco would be around the $35,000-$50,000 per unit ballpark. if you're paying any more than that, you're getting extremely shafted.
further, the circuits for the uplinks aren't going to cost that much themselves, as it's all sold under percentile-billing (not even 95%, usually more like 90% or 80% at over-gig-e levels these days) when we're talking actual transit costs. commits for "Joe's Web Hosting" might only be 1.5gig on each 10gig circuit, so that cuts down pricing a lot right there.
in terms of getting an experienced engineer, most attacks can be detected and mitigated automatically using netflow/sflow/ipfix flow analysis. i wrote software which handles the detection automatically, with a fairly high success rate, and it's free to use on bitbucket. :)
This was a price I received directly from a vendor who isn't Cisco or Brocade at a trade show. I honestly don't remember who because I lost interest, but I believe it was Black Lotus. It was priced per gigabit, and we needed ten. ~$12,000/gigabit, $120,000 device. Someone from Black Lotus can feel free to correct me. I was uninterested in negotiations from the get-go based on that ballpark, so if what you say is true, these vendors are doing themselves a disservice by talking me out of investigating them further simply based on a ballpark price. I also wasn't pricing routers, I was pricing mitigation gear. Cisco discontinued theirs, didn't they? The Guard? I seem to recall an admin who deployed Guards telling me they were (are?) six figures as well.
I worked for a serious buyer when I had this casual conversation with the vendor. You do business with my former employer (I've spoken to you before, when you took over cia.vc). I'd consider those facilities "real" datacenters, and they're certainly the same size, if not significantly larger, than your hosting outfit. No need to appeal to authority with me, honestly, I think we're on the same page -- I think your comment misread me as pricing routers instead of mitigation gear.
As for flows, I was interested in a solution that I didn't have to write software to implement. I'd rather have a supported appliance that can handle figuring out DoS attacks itself, rather than me parsing flows and feeding that information back. That way, if the software doesn't work, I can blame somebody else rather than me. My time is precious. Yours sounds less so, and that's your prerogative.
yes, Cisco discontinued the Guard module, which is unfortunate, as it did a pretty good job at determining what ACLs needed to be generated and applying them, and was actually much cheaper than the appliances.
in terms of mitigation hardware, all of those appliances are a ripoff. the solution is to replace them with free software that does automatic analysis on the flows and then sends that data automatically elsewhere, putting them out of business.
i have a system set up that does automatic mitigation using ddosmon by having a "scrubbing center" running on freebsd-based devices. this is accomplished by having a custom 'action' module in ddosmon which does three things:
- calculate the necessary ACLs
- insert them into the appropriate pf tables so the mitigation strategy fits my ruleset
- direct the router to send traffic for the IP being flooded to the scrubbing appliance
this is basically the way that the mitigation appliance vendors tell you to do it if you're handling >10gig floods anyway.
i think ddos mitigation is really a place where free software can cause a massively needed paradigm shift.
I will check it out, and it genuinely sounds interesting. Thanks.
> i think ddos mitigation is really a place where free software can cause a massively needed paradigm shift.
I'd argue resilient, reliable network gear in general is such a place. Reassuring to hear that Google is adopting Openflow and rolling their own ... maybe that'll trickle down. Cisco gear has led the way of being overpriced for fucking years.
Edit: Let's say you run Joe's Web Hosting. Joe's has three facilities, and you run redundant ten gigabit uplinks at each. Last I priced a device that could handle ten gigabit at line rate, it was ~$120,000, so figure:
Just for the gear.(I honestly don't remember if that figure was for the gigabit device or the ten gigabit device. I think the ten.)