We have two ISP's and host our own websites and services. We need to provide failover and load balancing to services we offer. When an ISP goes down we need to have internet users redirected to the secondary site. We want our internet services load balanced to both ISP's.
We are looking at Cloudflare, DNS Made Easy, DYN and Neustar. Looking to see what others are out there and if any listed are better than the others and why. DDOS protection is a must as we have been hit by a DDOS attack in the past.
We currently host our own outside DNS but have found that we cannot provide failover with two ISP's at different data centers.
Neustar UltraDNS is an industry leader and pioneer when it comes to managed DNS services. With 20+ years of experience and non-opensource software that runs our DNS platforms, we are able to provide 100% uptime and availablity backed by our industry leading SLAs.
As far as your questions are concerned, we offer both Load Balancing Services: www.security.neustar so working with both of your ISPs will not be a problem. We also offer monitoring and failover services: www.security.neustar At a very basic level, we include some of these services for free in all of our packages, unlike our competitors.
When it comes to DDoS protection, Neustar offers SiteProtect NG: www.security.neustar included in all DNS packages to protect against DNS based DDoS attacks. If you are looking to protect other online assets, including Web Applications, our DDoS protection services + WAF can take care of those needs as well. We do have one of the largest DDoS mitigation networks on the planet, and are expanding rapidly in the years to come.
Feel free to reach out with any questions or concerns and we'll be more than happy to assist you with your needs.
Neustar UltraDNS
Imperva Incapsula is the solution to have for DDoS at L7, L3 and L4. This effective solution also provides CDN, LB, ADR, DNS protection, SIEM integration and of course has an awesome WAF! Cloud based, OPEX only - no HW!! Easy to use - done and done!
i think it's not just a DDoS on the DNS issue but the resiliency you need to provide for your Internet services. So, to better answer your questions, you have to provide some sizing of the traffic per site, the kind of internet services and number of concurrent users, the source where most traffic is coming from (West coast, East coast). It's always a balance of efficiency and practicality.
Hi,
Actually we (Radware) are one of the market leaders in both of the requested solutions.
We offer ISP load balancing and Hybrid DDoS protection.
Radware’s Linkproof (first in the industry) to ensures optimal application service level.
We optimize in real time application performance in normal WAN state for both inbound and outbound traffic, when a service is disrupted we will divert traffic from highly-utilized links and ensure service-level for real time application or business related ones (for instance VoIP , voice or just cloud applications like office 365), In addition we maintain high WAN (ISP) availability at all times and steer the traffic to the operational links when failure occurs, compared to BGP protocol we will do it instantly with no impact on the applications.
Unlike most of the competition Radware user total round trip time mechanism to ensure best user experience at all time, Radware owns a patent for this technology.
LinkProof is application aware and will use smart prioritization mechanism to ensures bandwidth management and overall bandwidth for latency-sensitive apps.
Our APM will monitors all transaction end-to-end as experienced by end user to show user friendly graphs statistics and dashboards.
Load balancing different data centers can be easily achieved with our GSLB license, our Global server load balancing (GSLB) allows Web hosters, portals and enterprises to distribute content and services geographically.
For the DDos part, we can offer protection up to L7 and SSL encrypted attacks both on prem and in the cloud, or a hybrid solution, Radware uses the same technology both on-prem and in the cloud which means when a signature was created it can apply instantly the signature in the cloud and save the le-learning process.
In addition we use our patented "user behavior" mechanism and not only rate limiting.
Reach out for more options and fine tuning the solution.
Vadim
Radware
How may I help? I mean do you need help in suggesting a working solution, design or some hands-on configuration of existing equipment to work around the threat.
For your load balancing requirement, www.cloudflare.com
For your DNS requirements, www.cloudflare.com
Hope the information provided would be useful for your consideration.
If you need more info, please feel free to email me.
Already many good suggestions listed. I'll add another DNS provider to look into: NS1 (ns1.com). They have options for private managed DNS, dedicated DNS, and a control layer for load balancing based on any number of policies you set.
All of the DNS providers listed can provide a layer of defense against DDoS, with the CDNs (Cloudflare, Incapsula, Akamai) also offering WAF. Given the nature of infrastructure attacks, many enterprises are looking to have redundant providers at the DNS level in addition to your use of separate ISPs for internet traffic. That may be an additional factor to consider in your RFP process.
Take a look at DOSarrest. www.dosarrest.com They offer a low cost quick and effective Proxy solution to mitigate DDoS attacks across their global POP's as well as a BGP/GRE option if preferred called Data Center Defender. They include Load balancing and a WAF as standard features.
for DNS DDoS Protection you may use Incapsula DNS Protection OR move your DNS services to a big DNS player with DDoS protection OR have a combination of both.
For your webservices you may use a Balancer to balance the load between your ISPs and provide High Availability also (one ISP goes down). For this you should also use your DNS to amend the dns entries.
In case you are using Incapsula you can have both your websites active at the same time (load balance) and have a WAF,CDN and DDoS protection.
We provide and work with Cloudflare. Based on the requirements, Cloudflare should be able to fulfill it.
How should I get in touch with the user to further address your requirements?
Sure we can help with DDoS protection.
Please suggest how we shall proceed.
We are using Cloudflare which provides a flexible and easy to use DNS management tools + CDN and DDos attach protection (and a lot more)
Hello,
The solution will depend for example you wrote that you have two IPS assuming only one site.
You can do a load balance of your services with your edge firewall.
You can do a load balance your services with a WAN load balancer (Radware,F5 or A10 Networks)
If you have two IPS and two different sites you can load balance those with:
BGP at router level before your network
GSLB with A10 Networks
For the anti DDoS you would have multiple choices:
1. Imperva WAF : Incapsula (on the cloud)
2. Arbor APS (on premise, protecting your datacenter and public services)
Let me know if this help you,
The solution that you are looking is to provide failover to DNS redirections.
NSFOCUS don’t have the ability to make the DNS diversion between sites and provide a load-balance.
Our solution is only to DDoS protection based on BGP advertising or inline mode that could be on-premise (appliance into your network) or cloud.
Let me know if you need more information about it.
We utilize a few different companies that can provide Managed DDoS and DNS services. I need more info, but so far for your situation I would probably use one of these service providers: Level3 (now CenturyLink), Imperva or Akamai. Please reach out to me at mark@koiconsultants.com to discuss further and help decide which service is best. We can get you in direct contact with their teams immediately.
Hi,
Assuming that you have primary and secondary website with the same domain name, configuring it over a cloudflare will provide you an option of simply switching between these websites in no time in case of an ISP failure.
When an ISP goes down, you can just point the DNS of domain to an IP address of secondary website and all the internet traffic will get redirected to the secondary website right away.
For load balancing, I found some useful and relevant information in the link stated below:
www.cloudflare.com
Hope it will helpful.
Kind Regards,
May I ask what is the reason you cannot use different ISPs at your data centers?
Also, to give you more precise advice can you tell me what scale of DDOS
attack you experienced before and roughly what amount of traffic we are
talking about on average?
Managed DNS is probably easiest approach to design solution you require,
but depending on circumstances may not be the best one.
I'm familiar with cloud flare and their solution offers fair protection
against DDOS.
From my experience, I was involved in multiple similar projects utilizing
a hybrid approach with wan load balancers and cloud services depends on the scale
of project and number of data centers involves. However, despite the fact
that providing different ISP links to different geographical locations
always was tricky I never came across situation it was not possible.
In an ideal world and unlimited budget, you would prefer proper scrubbing
solution to mitigate DDOS and ideally dual ISP at each center with DR site
completely separated or hybrid solution replicating key data between
centers.
Let me know if you can share more details and I will be happy to get my head around it.
First of all, there are two ways to provide cloud DDoS protection fist one is DNS redirection and the second one is BGP prepend change. At first solution, it takes time while DNS announce the change. The second one is faster. But actually your request needs more than this, I can suggest that you focus on BIGIP DNS solution. (When an ISP goes down we need to have internet users redirected to the secondary site. We want our internet services load balanced to both ISP's. )
Akamai FAST DNS is an excellent solution.
I would also have a look at Distil networks, www.distilnetworks.com
I would recommend having a glance at Radware solution. Please visit www.radware.com .
I can introduce you to the EMEA account manager, or ask for the AMs of other regions as well.
Of course, we would enjoy providing information to inquiring parties. The question I have is that you asked about DDoS protection, but the request is about DNS Services.
If you can clarify, that would help me with a proper response.
Hi Are You based in Europe ? If so We so we can provide a solution for You. You will get a product + one of our engineer who will help you solve all your problems. please contact me at wm@greywizard.com or through facebook -> www.facebook.com