nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: D/DoS mitigation hardware/software needed.

From: Roger Marquis <marquis () roble com>
Date: Sun, 10 Jan 2010 08:19:27 -0800 (PST)
Then you need to get rid of that '90's antique web server and get
something modern.  When you say "interrupt-bound hardware," all you
are doing is showing that you're not familiar with modern servers
and quality operating systems that are designed to mitigate things
like DDoS attacks.


"Modern" servers?   IP is processed in the kernel on web servers,
regardless of OS.  Have you configured a kernel lately?  Noticed there
are ~3,000 lines in the Linux config file alone?  _Lots_ of device
drivers in there, which are interrupt driven and have to be timeshared.
No servers I know do realtime processing (RT kernels don't) or process IP
in ASICs.

What configurations of Linux / BSD / Solaris / etc does web / email / ntp
/ sip / iptables / ipfw / ... and doesn't have issues with kernel
locking?  Test it on your own servers by mounting a damaged DVD on the
root directory, and dd'ing it to /dev/null.  Notice how the ATA/SATA/SCSI
driver impacts the latency of everything on the system.  How would you
replicate that on a firmware and ASIC drive appliance?

Roger Marquis
Previous By Date Next
Previous By Thread Next

Current thread: