nanog mailing list archives

Re: D/DoS mitigation hardware/software needed.

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Sun, 10 Jan 2010 03:21:18 +0000


On Jan 10, 2010, at 10:05 AM, Roger Marquis wrote:

Ok, I'll bite.  What firewalls are you referring to?


Hardware-based commercial firewalls from the major vendors, open-source/DIY, and anything in between.  All stateful 
firewalls ever made, period (as discussed previously in the thread).

So then you're talking about CPU-driven firewalls, without ASICs e.g., consumer-level gear?  Well, that would explain 
why you think they fail before the servers behind them.


You obviously haven't read the thread.

No, I'm not talking about little firewalls, and no, I don't 'think' anything - I *know* it, because I've seen it over 
and over again, including during my tenure at the largest commercial firewall vendor in the world.

See here for a high-profile example:

<http://files.me.com/roland.dobbins/k54qkv>

I've personally choked a hardware-based firewall rated at 2gb/sec with only 80kpps of traffic from an old, 
PowerPC-based PowerBook, for example.  And again, as noted repeatedly in the thread, all that's required to effectively 
DDoS servers behind firewalls is to programmatically generate well-formed, completely valid traffic which passes all 
the firewall rules/inspectors/what-have-you - enough to 'crowd out' legit traffic from legit users.  

I strongly suggest reading the thread before commenting.

Have you noticed how easily Drupal servers go down with corrupt MyISAM tables?  How would S/RTBH and/or flow-spec 
protect against that?


We're talking about DDoS mitigation in order to keep the servers up and running, so that they don't go down 
ungracefully and corrupt anything in the first place.

Placing a stateful inspection device in a topological position where no stateful inspection is possible due to every 
incoming packet being unsolicited makes zero sense whatsoever from an architectural standpoint, even without going into 
implementation-specific details.

Once again - read the thread. 

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

Current thread:

RE: D/DoS mitigation hardware/software needed., (continued)
- - RE: D/DoS mitigation hardware/software needed. George Bonser (Jan 09)
  - Re: D/DoS mitigation hardware/software needed. Joe Greco (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Roger Marquis (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Joe Greco (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Valdis . Kletnieks (Jan 10)
    - Message not available
    - Re: D/DoS mitigation hardware/software needed. Roger Marquis (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Manolo Hernandez (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 10)
    - Re: D/DoS mitigation hardware/software needed. Kevin Oberman (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Roger Marquis (Jan 09)
  - Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
    - Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 09)
    - Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Roger Marquis (Jan 09)
  - Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)