nanog mailing list archives
Re: D/DoS mitigation hardware/software needed.
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Mon, 4 Jan 2010 22:35:42 -0500
On Mon, Jan 4, 2010 at 9:18 PM, jim deleskie <deleskie () gmail com> wrote:
What Roland said, I've seen people do this, no rules in place, still was able to kill the box (firewall) with a single CPU server.
not to pile on, but... +1 to roland here as well. I've seen more than enough folks put in a 'firewall' in front of their 'server' (say a mail server) and then watch that die long before the rest of the system did. Now, if you have equipment capable today of doing a few million session creates/second and you feel comfortable that you can keep track of how attacks grow vs your capacity stays the same and move ahead of the curve well enough, then... by all means do as you want :) There's a cost analysis which Roland sidestepped here as well, state-tracking at the rates required is expensive, as compared to relatively simple acls in hardware with no state on the upstream router. Spend where it matters, and make sure you understand where the failure points are that you place into your network. -chris
-jim On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins () arbor net> wrote:On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:Use a robust firewall such as a Netscreen in front of your mitigation tool.Absolutely not - the firewall will fall over due to state-table exhaustion before the mitigation system will. Firewalls (which have no place in front of servers in the first place), load-balancers, and any other stateful devices should be southbound of the mitigation system. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Current thread:
- Re: D/DoS mitigation hardware/software needed., (continued)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Adrian Chadd (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Steve Bertrand (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Łukasz Bromirski (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- RE: D/DoS mitigation hardware/software needed. Stefan Fouant (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. jim deleskie (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Bill Blackford (Jan 04)
- Message not available
- Re: D/DoS mitigation hardware/software needed. Jeffrey Lyon (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Suresh Ramasubramanian (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Darren Bolding (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)
- Re: D/DoS mitigation hardware/software needed. Darren Bolding (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 05)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 04)