Jeoren,
Anycast is an option, but as you said expensive, but worst than that, complex to maintain. On top of that, it requires skilled boys and their salaries will go up quite quickly or you leave some company to do it for you at a price, you probably do not want to afford, when you are a normal person and know the price of a baguette.
But again, if you look how DDoS attacks are, you can protect many services in various ways. Maybe some tips If you are a small SME with restricted budget but some geeks in your company.
I have noticed that medium attacks against small ISP often target DNS severs. One option is to get your zone hosted at some anycast-driven DNS services for a fair price. When the attack occurs, you let them mitigate it fir you. The second thing is to have the MX record at another host than the real location. With Exim MTA, you can easily hide the real source IP with some tuning into exim.conf (both directions). You can do the same with WEB servers, using reverse-proxies such as Squid, lighttpd, pound or get a CDN company to do it for you (Edgecast is quite affordable <300$/month entry price). Finally hide the company gateway IP, you can again have a proxy at some datacenter and tunnel all web traffic thru VPN/SSH Tunnel.
Good advices still applies. Have knowledge. Know your network. Know your system. Know your applications. Tune them. Run clean code. Update, Patch, Upgrade. Filter all what you don't need. Hide maximum informations.
My 0.2c.
Alex
On Fri, 18 Sep 2009 13:14:23 +0200, Jeroen Massar jeroen@unfix.org wrote:
There is a semi-partial solution which will cost you some cash, like every other 'solution': anycast your network.
(Thus you are doing your own ISP and in in grand grand scale...)
That way, like what the happysex site but only for Switzerland, you 'localize' the problem. If a DDoS network then attacks your site, they only attack one of the various versions, you close upstream and therefor take out the largest part of the ddos botnet being able to attack you. The other versions are then not affected and you limit what gets hit.
This of course requires you to have a huge amount of nodes around the world, generally nodes close to your users and of course a redundant way to distribute your data, synchronise it etc etc etc which can be fun challenges. And it of course all breaks down when the ISP you are hosting at gets pressured into taking your site offline...
Thus works for the big boys, but not for the small ones (anybody doing a PhD thesis on how monopoly on the Internet works and the relation of the big ISPs with criminals to force smaller ISPs to die off... ? :)
Greets, Jeroen