nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I don't need no stinking firewall!

From: Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>
Date: Thu, 7 Jan 2010 01:16:43 +1030
On Wed, 6 Jan 2010 04:53:17 +0000
"Dobbins, Roland" <rdobbins () arbor net> wrote:



On Jan 6, 2010, at 11:43 AM, George Bonser wrote:


 Yes, you have to take some of the things that were done in one spot and do
them in different locations now, but the results are an amazing increase
in service capacity per dollar spent on infrastructure.


I strongly agree with the majority of your comments, with the caveat that I've seen many, many load-balancers fall 
over due to state-exhaustion, too; load-balancers need northbound protection from DDoS (S/RTBH, flow-spec, IDMS, et. 
al.), as well.



And that is the crux of the matter. Any time you maintain state in the
network (e.g. stateful firewalls), you're vulnerable to traffic based
attacks that can exhaust that state. The Internet is scalable because
the (soft) state that it maintains, namely route tables, isn't
dependent on or influenced by the traffic that is forwarded through it.

Hosts have to maintain state about their connections - there is no
choice. However, the more you're able to push state tracking to the
hosts, you end up with less consequences of state targeted attacks,
and more scalable architectures.
Previous By Date Next
Previous By Thread Next

Current thread: