Re: D/DoS mitigation hardware/software needed.

[Roger Marquis <marquis () roble com>]

Dobbins, Roland wrote:
> > Firewalls are not designed to mitigate large scale DDoS, unlike
> > Arbors, but they do a damn good job of mitigating small scale
> > attacks of all kinds including DDoS.
>
> Not been my experience at all - quite the opposite.

Ok, I'll bite.  What firewalls are you referring to?

> > Their CAM tables, realtime ASICs and low latencies are very
> > much unlike the CPU-driven, interrupt-bound hardware and
> > kernel-locking, multi-tasking software on a typical web server.
> > IME it is a rare firewall that doesn't fail long, long after
> > (that's after, not before) the hosts behind them would have
> > otherwise gone belly-up.
>
> Completely incorrect on all counts.

So then you're talking about CPU-driven firewalls, without ASICs e.g.,
consumer-level gear?  Well, that would explain why you think they fail
before the servers behind them.

> I've been a sysadmin

Have you noticed how easily Drupal servers go down with corrupt MyISAM
tables?  How would S/RTBH and/or flow-spec protect against that?

Roger Marquis