Hi Bernd
Thanks for your thoughts. Since the Rackspace is already limited, the 7201 or the 3825 will be a good solutions for us, since the only take 1 or 2 RU.
I hope, that we don't will have to match ddos attacks (we wasn't attacked within the last 5 years), so hopefully, that isn't the point for us in the moment. So we can start with one of this two boxes. And if we are growing and perhaps will have multiple racks, we can invest then in a ddos proved solutions.
Kind Regards
Patrick
****************************************************************************** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59 ******************************************************************************
-----Ursprüngliche Nachricht----- Von: Bernd SPIESS [mailto:bernd.spiess@ascus.at] Gesendet: Donnerstag, 17. September 2009 20:15 An: 'Patrick Studer' Betreff: RE: [swinog] Full BGP Routing Router Requirements
yes - its a good box - but think that a new one will cost about 8000 euro for this money you get a lot of used boxes who do routing in hardware
the 7201 and 3825 plattform are cpu driven - both will not survive a ddos - if you have luck the 7201 will - but if you have too much services this box is also dead
compare the mbps of the 7201 g2 with the sup32 or sup720
bernd
-----Original Message----- From: Patrick Studer [mailto:p.studer@x-netconsulting.ch] Sent: Thursday, September 17, 2009 6:15 PM To: Bernd SPIESS Cc: 'swinog@lists.swinog.ch' Subject: AW: [swinog] Full BGP Routing Router Requirements
Thanks Bernd.
As you perhaps has seen, we are now thinking about a 3825 or 7201. We think both will do the job, but the 7201 will have more power.
Kind Regards
Patrick
****************************************************************************** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59 ******************************************************************************
-----Ursprüngliche Nachricht----- Von: Bernd SPIESS [mailto:bernd.spiess@ascus.at] Gesendet: Donnerstag, 17. September 2009 14:02 An: 'Patrick Studer' Betreff: RE: [swinog] Full BGP Routing Router Requirements
ipv6 is running fine also on 28 plattform
asn32 - no practical info from our side - we ignored this until now :-) maybe you start here: http://www.swissix.ch/asn32/doku.php
-----Original Message----- From: Patrick Studer [mailto:p.studer@x-netconsulting.ch] Sent: Thursday, September 17, 2009 1:39 PM To: Bernd SPIESS; 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Subject: AW: [swinog] Full BGP Routing Router Requirements
Thanks for the link to the Router performance sheet. Do you see perhaps also some impacts about the new as-numbers or ipv6 for any of the smaller solutions (28xx, 38xx)?
Regards
Patrick
****************************************************************************** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59 ******************************************************************************
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Bernd SPIESS Gesendet: Donnerstag, 17. September 2009 11:43 An: 'Patrick Studer'; 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Betreff: Re: [swinog] Full BGP Routing Router Requirements
see here: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp...
3725 = 179 mbit 3745 = 256 mbit
(best case calculated with 64 byte paket size)
you have to basicaly decide if you want a cpu driven box (28*, 38*, NPE-G1/G2) or a hardware driven box (sup32, sup720, c-120**) in the first case you have to primary look for the cpu performance - in the second case you have to look primary for hardware prefix puffer (256.000 prefixes versus 1 mio)
lg bernd
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Patrick Studer Sent: Thursday, September 17, 2009 11:17 AM To: 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Subject: Re: [swinog] Full BGP Routing Router Requirements
Hi Pascale
That's an answer I was looking for.
Some more questions. Why you suggest the SP Service IOS? What's about the 3825/45 Series? Would that be the "golden middle way"? Will this box give us a little more capacity, so there is little bit of air for the router, or is the only way to go for a 2851 or a 7xxx System?
Kind Regards
Patrick
****************************************************************************** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59 ******************************************************************************
-----Ursprüngliche Nachricht----- Von: Pascal Gloor [mailto:pascal.gloor@spale.com] Gesendet: Donnerstag, 17. September 2009 10:41 An: studer.patrick@gmx.ch Cc: 'swinog@lists.swinog.ch' Betreff: Re: [swinog] Full BGP Routing Router Requirements
Hi Patrick,
The first step will be, to have 10 Mbit/s fixed or 100 Mbit/s burstable service with an additional link to SwissIX where we want to do some privat peerings.
In a second step, we will add a second or a third upstream with about the same speeds as the first connection. All connection should be done by normal Ethernet connection.
As a minimal BGP setup I usually suggest to have one 2851 per upstream. It needs some upgrades, 1Gb DRAM and SP SERVICES IOS. This router has two GigabitEthernet interface so you can use one for wan and one for lan. You can also add a 4 ports 10/100 switch module if you need multiple lan connexions (limited to 100mbps).
If you have multiple upstream providers and therefor multiple routers, I suggest to have a separate lan (maybe vlan) with all the routers in it for the iBGP full mesh.
This is, indeed, a minimal setup, I wont protect you from attacks of any kind and the router capacity is limited. However you should be able to route at least 100-200mbps.
If you really need protection, you will need a 7200-NPE-G1/2 (which will be able to hold 700-1000mbps traffic), but still, its capacity to hold directed attacks is limited. For best protection a suggest a 7600-RSP720-3CXL which is full hardware platform, protection of the router can be done in hardware (CPP, control-plane policy).
But this might be just a little bit too expensive...
Cheers, Pascal
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi,
Bernd you are right, the 7201 and 3825 are CPU-based drive boxes, just like any network gear by Cisco. It is a bit the Cisco conception of network devices, isn't?
However with < 300 Mbit/s you can't do much against a big serious DDoS attack, either the peipes are filled and must be filtered. Actually even large ISP can't fight much against real big attacks. Even the big blue national company already suffered of large DDoS attacks. Yes with large pipes you can fight a bit, but can't litteraly stop them when they are bot-net driven.
However, IMHO DDoS attacks are just like spam, nobody can really pretend being able to stop them as of today.
<off topic> http://www.youtube.com/watch?v=Rm-jbZS2LQU </off topic>
Just humour, no hidden message.
Cheers.
Alex
On Fri, 18 Sep 2009 10:07:00 +0200, Patrick Studer p.studer@x-netconsulting.ch wrote:
Hi Bernd
Thanks for your thoughts. Since the Rackspace is already limited, the
7201
or the 3825 will be a good solutions for us, since the only take 1 or 2
RU.
I hope, that we don't will have to match ddos attacks (we wasn't attacked within the last 5 years), so hopefully, that isn't the point for us in the moment. So we can start with one of this two boxes. And if we are growing and perhaps will have multiple racks, we can invest then in a ddos proved solutions.
Kind Regards
Patrick
******************************************************************************
X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail
p.studer@x-netconsulting.ch
CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59
******************************************************************************
-----Ursprüngliche Nachricht----- Von: Bernd SPIESS [mailto:bernd.spiess@ascus.at] Gesendet: Donnerstag, 17. September 2009 20:15 An: 'Patrick Studer' Betreff: RE: [swinog] Full BGP Routing Router Requirements
yes - its a good box - but think that a new one will cost about 8000 euro for this money you get a lot of used boxes who do routing in hardware
the 7201 and 3825 plattform are cpu driven - both will not survive a ddos - if you have luck the 7201 will - but if you have too much services this box is also dead
compare the mbps of the 7201 g2 with the sup32 or sup720
bernd
-----Original Message----- From: Patrick Studer [mailto:p.studer@x-netconsulting.ch] Sent: Thursday, September 17, 2009 6:15 PM To: Bernd SPIESS Cc: 'swinog@lists.swinog.ch' Subject: AW: [swinog] Full BGP Routing Router Requirements
Thanks Bernd.
As you perhaps has seen, we are now thinking about a 3825 or 7201. We
think
both will do the job, but the 7201 will have more power.
Kind Regards
Patrick
******************************************************************************
X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail
p.studer@x-netconsulting.ch
CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59
******************************************************************************
-----Ursprüngliche Nachricht----- Von: Bernd SPIESS [mailto:bernd.spiess@ascus.at] Gesendet: Donnerstag, 17. September 2009 14:02 An: 'Patrick Studer' Betreff: RE: [swinog] Full BGP Routing Router Requirements
ipv6 is running fine also on 28 plattform
asn32 - no practical info from our side - we ignored this until now :-) maybe you start here: http://www.swissix.ch/asn32/doku.php
-----Original Message----- From: Patrick Studer [mailto:p.studer@x-netconsulting.ch] Sent: Thursday, September 17, 2009 1:39 PM To: Bernd SPIESS; 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Subject: AW: [swinog] Full BGP Routing Router Requirements
Thanks for the link to the Router performance sheet. Do you see perhaps also some impacts about the new as-numbers or ipv6 for any of the smaller solutions (28xx, 38xx)?
Regards
Patrick
******************************************************************************
X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail
p.studer@x-netconsulting.ch
CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59
******************************************************************************
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch
[mailto:swinog-bounces@lists.swinog.ch]
Im Auftrag von Bernd SPIESS Gesendet: Donnerstag, 17. September 2009 11:43 An: 'Patrick Studer'; 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Betreff: Re: [swinog] Full BGP Routing Router Requirements
see here:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp...
3725 = 179 mbit 3745 = 256 mbit
(best case calculated with 64 byte paket size)
you have to basicaly decide if you want a cpu driven box (28*, 38*, NPE-G1/G2) or a hardware driven box (sup32, sup720, c-120**) in the first case you have to primary look for the cpu performance - in
the
second case you have to look primary for hardware prefix puffer (256.000 prefixes versus 1 mio)
lg bernd
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Patrick Studer Sent: Thursday, September 17, 2009 11:17 AM To: 'Pascal Gloor' Cc: 'swinog@lists.swinog.ch' Subject: Re: [swinog] Full BGP Routing Router Requirements
Hi Pascale
That's an answer I was looking for.
Some more questions. Why you suggest the SP Service IOS? What's about the 3825/45 Series? Would that be the "golden middle way"? Will this box give us a little more capacity, so there is little bit of air
for
the router, or is the only way to go for a 2851 or a 7xxx System?
Kind Regards
Patrick
******************************************************************************
X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail
p.studer@x-netconsulting.ch
CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59
******************************************************************************
-----Ursprüngliche Nachricht----- Von: Pascal Gloor [mailto:pascal.gloor@spale.com] Gesendet: Donnerstag, 17. September 2009 10:41 An: studer.patrick@gmx.ch Cc: 'swinog@lists.swinog.ch' Betreff: Re: [swinog] Full BGP Routing Router Requirements
Hi Patrick,
The first step will be, to have 10 Mbit/s fixed or 100 Mbit/s burstable service with an additional link to SwissIX where we want to do some privat peerings.
In a second step, we will add a second or a third upstream with about the same speeds as the first connection. All connection should be done by normal Ethernet connection.
As a minimal BGP setup I usually suggest to have one 2851 per upstream.
It
needs some upgrades, 1Gb DRAM and SP SERVICES IOS. This router has two GigabitEthernet interface so you can use one for wan and one for lan. You can also add a 4 ports 10/100 switch module if you need multiple lan connexions (limited to 100mbps).
If you have multiple upstream providers and therefor multiple routers, I suggest to have a separate lan (maybe vlan) with all the routers in it
for
the iBGP full mesh.
This is, indeed, a minimal setup, I wont protect you from attacks of any kind and the router capacity is limited. However you should be able to route at least 100-200mbps.
If you really need protection, you will need a 7200-NPE-G1/2 (which will
be
able to hold 700-1000mbps traffic), but still, its capacity to hold directed attacks is limited. For best protection a suggest a 7600-RSP720-3CXL which is full hardware platform, protection of the router can be done in hardware (CPP, control-plane policy).
But this might be just a little bit too expensive...
Cheers, Pascal
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Alexandre Egger wrote: [..]
However, IMHO DDoS attacks are just like spam, nobody can really pretend being able to stop them as of today.
There is a semi-partial solution which will cost you some cash, like every other 'solution': anycast your network.
(Thus you are doing your own ISP and in in grand grand scale...)
That way, like what the happysex site but only for Switzerland, you 'localize' the problem. If a DDoS network then attacks your site, they only attack one of the various versions, you close upstream and therefor take out the largest part of the ddos botnet being able to attack you. The other versions are then not affected and you limit what gets hit.
This of course requires you to have a huge amount of nodes around the world, generally nodes close to your users and of course a redundant way to distribute your data, synchronise it etc etc etc which can be fun challenges. And it of course all breaks down when the ISP you are hosting at gets pressured into taking your site offline...
Thus works for the big boys, but not for the small ones (anybody doing a PhD thesis on how monopoly on the Internet works and the relation of the big ISPs with criminals to force smaller ISPs to die off... ? :)
Greets, Jeroen
Jeoren,
Anycast is an option, but as you said expensive, but worst than that, complex to maintain. On top of that, it requires skilled boys and their salaries will go up quite quickly or you leave some company to do it for you at a price, you probably do not want to afford, when you are a normal person and know the price of a baguette.
But again, if you look how DDoS attacks are, you can protect many services in various ways. Maybe some tips If you are a small SME with restricted budget but some geeks in your company.
I have noticed that medium attacks against small ISP often target DNS severs. One option is to get your zone hosted at some anycast-driven DNS services for a fair price. When the attack occurs, you let them mitigate it fir you. The second thing is to have the MX record at another host than the real location. With Exim MTA, you can easily hide the real source IP with some tuning into exim.conf (both directions). You can do the same with WEB servers, using reverse-proxies such as Squid, lighttpd, pound or get a CDN company to do it for you (Edgecast is quite affordable <300$/month entry price). Finally hide the company gateway IP, you can again have a proxy at some datacenter and tunnel all web traffic thru VPN/SSH Tunnel.
Good advices still applies. Have knowledge. Know your network. Know your system. Know your applications. Tune them. Run clean code. Update, Patch, Upgrade. Filter all what you don't need. Hide maximum informations.
My 0.2c.
Alex
On Fri, 18 Sep 2009 13:14:23 +0200, Jeroen Massar jeroen@unfix.org wrote:
There is a semi-partial solution which will cost you some cash, like every other 'solution': anycast your network.
(Thus you are doing your own ISP and in in grand grand scale...)
That way, like what the happysex site but only for Switzerland, you 'localize' the problem. If a DDoS network then attacks your site, they only attack one of the various versions, you close upstream and therefor take out the largest part of the ddos botnet being able to attack you. The other versions are then not affected and you limit what gets hit.
This of course requires you to have a huge amount of nodes around the world, generally nodes close to your users and of course a redundant way to distribute your data, synchronise it etc etc etc which can be fun challenges. And it of course all breaks down when the ISP you are hosting at gets pressured into taking your site offline...
Thus works for the big boys, but not for the small ones (anybody doing a PhD thesis on how monopoly on the Internet works and the relation of the big ISPs with criminals to force smaller ISPs to die off... ? :)
Greets, Jeroen
Alexandre Egger wrote:
Jeoren,
Anycast is an option, but as you said expensive, but worst than that, complex to maintain. On top of that, it requires skilled boys and their salaries will go up quite quickly or you leave some company to do it for you at a price, you probably do not want to afford, when you are a normal person and know the price of a baguette.
I did mention "which will cost you some cash" and "semi-partial solution" for a reason ;)
But again, if you look how DDoS attacks are, you can protect many services in various ways. Maybe some tips If you are a small SME with restricted budget but some geeks in your company.
The cheapest solution: don't attract the bad people.
If you don't piss somebody or make them jealous they won't have a need to attack you either.
I have noticed that medium attacks against small ISP often target DNS severs. One option is to get your zone hosted at some anycast-driven DNS services for a fair price. When the attack occurs, you let them mitigate it fir you.
Which might mean they cut your service as clearly you will be affecting also the availability of their other clients...
That, but there is an easier and much more effective DDoS: hit the page that is 'heavy to produce'. The mere simple factor problem: they sent you something small, you need to do a lot of work and/or give a big result. If that can be triggered then the site goes down, because 10.000 hosts asking the heavy page will bring it to its knees. As such, for those heavy ones, have separate infrastructure available.
The second thing is to have the MX record at another host than the real location.
Won't help you much if you don't actually provide a way to read that mail from the second MX, mail will nicely get queued yes, but you won't be able to read it... (sync between the two MX's and running IMAP on both solves that, maildir filenames are unique, you just need to glue in the sync also in the imap daemon so that the sync doesn't restore files ;)
With Exim MTA, you can easily hide the real source IP with some tuning into exim.conf (both directions).
You can indeed strip the 'local' headers so that internal infrastructure is hidden. But then those external relays will still be hit. Better have large amount of them. Also, this basically comes down to doing the distribution of your servers /
You can do the same with WEB servers, using reverse-proxies such as Squid, lighttpd, pound or get a CDN company to do it for you (Edgecast is quite affordable <300$/month entry price). Finally hide the company gateway IP, you can again have a proxy at some datacenter and tunnel all web traffic thru VPN/SSH Tunnel.
That is indeed an excellent solution, but you are then just doing that: "anycast", though using probably updateable-DNS/BGP combinations ;)
Cheap solution: get some el-cheapo 'root' servers, install bind or your preferred DNS server, install pound (for the record I love it ;) or varnish if you want caching, then hide your master server in a dark corner of the Internet.
Now, when somebody attacks one out your 20 cheap ones, just remove them from DNS. They would then have to ddos all 20 have them, possibly at various ISPs to get them all down. Users will only notice a minor annoyance during the time DNS changes. Of course DNS becomes your vulnerability, thus, just register all your hosts as NS glue. The target then becomes the TLD servers (which might not be nice).
For that matter, just look at what Virus/Scammer/Malware etc people do to keep their 'business' up and running. (no, I don't suggest you go around infecting hosts and running your business of that ;)
Good advices still applies. Have knowledge. Know your network. Know your system. Know your applications. Tune them. Run clean code. Update, Patch, Upgrade. Filter all what you don't need. Hide maximum informations.
Fully agreed.
Greets, Jeroen
I wasn't giving any advices to you, obviously you don't need them ;) Other, I know we are a bit off-topic, sorry, but it's interesting topic, isn't?
If you don't piss somebody or make them jealous they won't have a need to attack you either.
Yes. However, sometimes you don't have the choice. E.g. call-centers makes people angry.
Which might mean they cut your service as clearly you will be affecting also the availability of their other clients...
Depends which. Some are fair and able to deal with it, more or less. However, then you can probably sue them.
That, but there is an easier and much more effective DDoS: hit the page that is 'heavy to produce'. The mere simple factor problem: they sent you something small, you need to do a lot of work and/or give a big result. If that can be triggered then the site goes down, because 10.000 hosts asking the heavy page will bring it to its knees. As such, for those heavy ones, have separate infrastructure available.
Oh yes. The slashdot (digg) effect has killed many hosts. However, a good idea is always to host static on a server for static content (with a light, low footprint memory and secure web servers on medium boxes) and host the dynamic on a high-end. We end at the last tip I wrote, if you know your code, you can probably void lots of queries and heavy calculation of page generation with caching (any kind of, proxy, cache, APC, etc).
Won't help you much if you don't actually provide a way to read that mail from the second MX, mail will nicely get queued yes, but you won't be able to read it... (sync between the two MX's and running IMAP on both solves that, maildir filenames are unique, you just need to glue in the sync also in the imap daemon so that the sync doesn't restore files
;)
Loads of hosters pretend having network gears that will stop all attacks (Rackspace, Softlayer, Gigenet, Staminus) to name a few. Some are bulletproof, other just lampoon themselves few days after announcing having, mhh *so-great* protected networks. No trolling..., common I promise ;)
You can indeed strip the 'local' headers so that internal infrastructure is hidden. But then those external relays will still be hit. Better have large amount of them. Also, this basically comes down to doing the distribution of your servers /
If you have a DSL line, leave the public-facing servers to the hosters mentioned ^ they will handle it. They probably have more chances to survive than your poor tiny ZyXEL CPE.
Cheap solution: get some el-cheapo 'root' servers, install bind or your preferred DNS server, install pound (for the record I love it ;) or varnish if you want caching, then hide your master server in a dark corner of the Internet.
That's the concept I was developing before. Have public facing servers somewhere and hide yourself somewhere else when your capacity is small (ok no need to say, don't make sense to host a webserver if you run a DSL line indeed ,).
Now, when somebody attacks one out your 20 cheap ones, just remove them from DNS. They would then have to ddos all 20 have them, possibly at various ISPs to get them all down. Users will only notice a minor annoyance during the time DNS changes. Of course DNS becomes your vulnerability, thus, just register all your hosts as NS glue. The target then becomes the TLD servers (which might not be nice).
SME can't really afford 20 servers. But at least, they can move the weakness a step ahead, they don't have to deal with the packets, hosters will if they pretend it's their job and use it as selling point ;)
Alexandre Egger wrote:
I wasn't giving any advices to you, obviously you don't need them ;) Other, I know we are a bit off-topic, sorry, but it's interesting topic, isn't?
Especially with the view that there are possibilities that ISPs get threatened and take hosted sites offline, discussing these solutions here is IMHO very on topic.
By discussing this here hosted sites will diversify over ISPs which will just lead to them becoming less of a target, as targetting them doesn't have the direct wanted effect anymore.
If you don't piss somebody or make them jealous they won't have a need to attack you either.
Yes. However, sometimes you don't have the choice. E.g. call-centers makes people angry.
<whistle>Don't out-source these then ;)</whistle>
Which might mean they cut your service as clearly you will be affecting also the availability of their other clients...
Depends which. Some are fair and able to deal with it, more or less. However, then you can probably sue them.
The fine-print probably takes care of it on their side.
[..]
SME can't really afford 20 servers. But at least, they can move the weakness a step ahead, they don't have to deal with the packets, hosters will if they pretend it's their job and use it as selling point ;)
Take 4 or 5 boxes spread out over various ISP, that would solve the problem already quite a bit. Especially when two of those are in the US.
Greets, Jeroen
-
Alexandre Egger -
Jeroen Massar -
Patrick Studer