nanog mailing list archives

RE: D/DoS mitigation hardware/software needed.


From: "Stefan Fouant" <sfouant () shortestpathfirst net>
Date: Sat, 9 Jan 2010 10:40:52 -0500

-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins () arbor net]
Sent: Saturday, January 09, 2010 10:03 AM

On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote:

Firewalls do have their place in DDoS mitigation scenarios, but if
used as
the "ultimate" solution you're asking for trouble.

In my experience, their role is to fall over and die, without
exception.  I can't imagine what possible use a stateful firewall has
being placed in front of servers under normal conditions, much less
during a DDoS attack; it just doesn't make sense.

See the earlier post - what I'm referring to here is more along the lines of
stateless packet filters on upstream routers which can be triggered via
Flowspec or similar mechanisms...  I'm not disagreeing with you here on the
other points and largely concur.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



Current thread: