funsec mailing list archives
Re: so, is I[dp]S a STUPID technology?
From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 11 Oct 2005 18:40:53 -0700
I've an operational mindset; I care about things which are operationally feasible to deploy, maintain, which scale for large networks, and which are useful in an opsec context.
Boxes which maintain lots of state are not generally useful as DDoS protection mechanisms, as they're not optimized for it. I've seen in- line IDS, firewalls, load-balancers, and so forth taken down by DoS traffic which wouldn't cause problems on a router or a switch, or a scrubber. They simply aren't designed to handle it.
There are boxes which are designed specifically to handle DDoS. I'm not a big fan of always-inline boxes, period; they complicate the troubleshooting matrix, they force symmetry into the topology where they're deployed, and they're performance bottlenecks. Far preferable to use RTBH and/or to use sinkhole techniques to divert traffic of interest into the scrubber when needed, and then cease diversion when the incident has been handled.
On Oct 11, 2005, at 5:05 PM, Kyle Quest wrote:
>To be clear, I don't do 'Cisco talk' - several vendors make scrubbing>boxes, just as several vendors (including Cisco) make firewalls and IDS.It sure does sound like it though... It's ok though. It's hard to avoidit once you're in the cisco mindset. >Small businesses can't rely upon in-line firewalls or IDS to defend >themselves against DDoS, either, in my experience. Those are >primarily policy-enforcement devices, and irrespective of their other >possible merits, they generally aren't optimized for dealing with >DDoS (marketing claims aside). Maybe we're a little bit off on the difinitions. Given that you haven't defined what in-line firewalls (are there such things as off-line firewalls I wonder :-] ) and in-line IDS are, it's hard for me to be completely subjective. Either way,I wasn't talking about those (if you're talking about what I'm thinking)...I was talking about specialized IPS systems designed to handle (D)DoS flood attacks. And if you meant those as well when you said "in-line firewalls or IDS", then I would have to disagree with you and suggest that you expand your "experience". There are indeed environments and deployments when a single (or an array of) in-line (D)DoS IPS systems work great at mitigating (D)DoS attacks and that's no marketing claims... Obviously, there are cases when they don't work well. I'm not claiming otherwise. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: lalala [was: Re: so, is I[dp]S a STUPID technology?], (continued)
- Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Young, Keith (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Dave Hawkins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 13)