nanog mailing list archives
RE: D/DoS mitigation hardware/software needed.
From: "Stefan Fouant" <sfouant () shortestpathfirst net>
Date: Sat, 9 Jan 2010 09:57:27 -0500
-----Original Message----- From: Łukasz Bromirski [mailto:lukasz () bromirski net] Sent: Saturday, January 09, 2010 6:11 AM You mean Juniper SRX? The biggest box is a 5800, and it can handle up to 350k new sessions each second, up to maximum of 10 million (let's skip the fact that it's not that simple as it would look from the data sheet and there are major obstacles from reaching the numbers).
With all due respect, I've been playing with the high end SRXs lately and I have to say I've been incredibly impressed with the performance... I recently did some performance testing on the SRX 5600s and I was able to consistently observe it instantiating upwards of 150k new TCP sessions per second. Does the SRX have some bugs... sure... that is to be expected with a box which by all means is still relatively bleeding edge. I'm fairly confident given a little time to stabilize the code, they will be able to fix some of the obstacles you are describing above... Having said that, I always laugh when I'm working with customers who have been DoSed and their response is "Well, our firewall/load balancer has DDoS mitigation capabilities...". Almost every firewall or load balancer device I've worked with (Netscreen, SRX, Brocade, Fortinet) that had any sort of DoS mitigation features was extremely limited in its capability. Most only do session-based limiting towards a given destination IP, with the ultimate result being that they simply rate-limit the traffic towards that destination. This in itself ends up completing the attackers goal of denying service (even if just a subset) towards a given IP. And these types of features do nothing to assist with low-level attack traffic which require surgical mitigation, not to mention a host of other attack vectors. Firewalls do have their place in DDoS mitigation scenarios, but if used as the "ultimate" solution you're asking for trouble. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Current thread:
- D/DoS mitigation hardware/software needed. Rick Ernst (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Tim Eberhard (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Adrian Chadd (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Steve Bertrand (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Łukasz Bromirski (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. jim deleskie (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Bill Blackford (Jan 04)
- Message not available
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)