nanog mailing list archives
Re: I don't need no stinking firewall!
From: Valdis.Kletnieks () vt edu
Date: Fri, 08 Jan 2010 10:50:22 -0500
On Fri, 08 Jan 2010 08:22:00 EST, bill from home said:
My question is at what size connection does a state table become vulnerable, are we talking 1mb dsl's with a soho firewall?
Security - you're doing it wrong. ;) The question you *should* be asking yourself is "at what size connection am I enough of a network presence that I might attract attention from somebody who might want to attack me?" And that depends more on the *type* of presence than the size of the pipe. If you're a small electrical-components design firm that nobody's heard of, the size of your state table is probably moot. One of your users just drew the attention of some random 4chan /b/tard, the size of the state table is again probably moot. ;) But to answer your question - it's so absurdly easy for a competent(*) attacker to saturate any edge connection smaller than a gigabit or so, that 'state table exhaustion' is only *really* an issue if you have a 10G or bigger pipe. (*) There is of course the case of an incompetent attacker who only has a botnet of a few hundred machines, attacking a small pipe. At that point, it's probably a crap shoot - if your firewall falls over, you've been DDoS'ed. But if it doesn't fall over, you'll probably *still* be DDoS'ed because the machines you're protecting fall over...
Attachment:
_bin
Description:
Current thread:
- RE: I don't need no stinking firewall!, (continued)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Randy Bush (Jan 10)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Warren Kumari (Jan 13)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 13)
- Re: I don't need no stinking firewall! Bill Stewart (Jan 14)
- Re: I don't need no stinking firewall! Joe Maimon (Jan 14)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 08)
- Re: I don't need no stinking firewall! Joe Greco (Jan 08)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! Joe Greco (Jan 10)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Mark Smith (Jan 06)