Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Jerry B. Altzman" <jbaltz () altzman com>
Date: Wed, 28 Nov 2007 14:36:43 -0500
on 2007-11-28 08:21 Darden, Patrick S. said the following:
No offense, but both of you are wrong. Properly configured, a simple firewall CAN prevent most DOS attacks.
I am really confused here. I've read BCP38 (which your paper obliquely references). I guess you mean: if I have a firewall, I can prevent DOS attacks from *originating from my network*, as opposed to what I see as the more popular interpretation of "help you against DOS attacks" to mean "mitigate the damage of DOS attacks inbound on my network".
Check out this SANS bulletin on "Defeating DDOS". Yes, that is my name in the credits. Special task force back in 2000. Sigh, and still people don't know that you can use a simple firewall to defeat most DOS attacks... as long as you are protecting the world from YOUR network.
I can do all the source filtering I want, but if I'm receiving 500 Mpps of DDOS, my firewall's gonna keel over and die. (Maybe I'm off by 10 dB or so...) Any plan of action that depends on the compliance of vendors and everyone else on the Internet is...well, I'd love the IOS command that would allow me to configure my neighbor's router.
--p
//jbaltz -- jerry b. altzman jbaltz () altzman com www.jbaltz.com thank you for contributing to the heat death of the universe. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)