Re: D/DoS mitigation hardware/software needed.

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Jan 4, 2010 at 9:18 PM, jim deleskie <deleskie () gmail com> wrote:
> What Roland said, I've seen people do this, no rules in place, still
> was able to kill the box (firewall) with a single CPU server.

not to pile on, but... +1 to roland here as well. I've seen more than
enough folks put in a 'firewall' in front of their 'server' (say a
mail server) and then watch that die long before the rest of the
system did.

Now, if you have equipment capable today of doing a few million
session creates/second and you feel comfortable that you can keep
track of how attacks grow vs your capacity stays the same and move
ahead of the curve well enough, then... by all means do as you want :)

There's a cost analysis which Roland sidestepped here as well,
state-tracking at the rates required is expensive, as compared to
relatively simple acls in hardware with no state on the upstream
router.

Spend where it matters, and make sure you understand where the failure
points are that you place into your network.

-chris

> -jim
>
> On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins () arbor net> wrote:
> > On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
> >
> > > Use a robust firewall such as a Netscreen in front of your mitigation
> > > tool.
> >
> > Absolutely not - the firewall will fall over due to state-table exhaustion before the mitigation system will.  
> > Firewalls (which have no place in front of servers in the first place), load-balancers, and any other stateful 
> > devices should be southbound of the mitigation system.
> >
> > -----------------------------------------------------------------------
> > Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
> >
> >    Injustice is relatively easy to bear; what stings is justice.
> >
> >                        -- H.L. Mencken