I don't need no stinking firewall!

George Bonser gbonser at seven.com
Wed Jan 6 07:45:43 UTC 2010


> See above; in front of the server, there's no state to track in the
> first place, heh.
> 
> Fish, meet bicycle.

I think that is the part that some people aren't getting.  You have a
network just sitting there. A syn packet arrives for port 80 to an http
server.  You ARE going to allow it because that is what a web server
does.

Now if you have a firewall in front of the load balancer you have a
three-way handshake that goes on with the firewall.  Then another one
between the firewall and the load balancer.  And then possibly yet
another one between the balancer and the server if you aren't using
persistent connections in that part of the network. 

So now you get a DoS request that is as simple as "GET /index.html"  or
worse, some huge file, which you are also going to allow anyway because
there is no way to tell a legitimate request from a flood of requests
from a bot net or someone posted your link on Slashdot or whatever.  

So now your web server is flooded with "legitimate" requests that pass
all of your policy but you are being overwhelmed by the sheer volume of
them and they are originating from thousands of IP addresses from all
around the world.  They are all getting through your firewall.  So now
it is just a matter of which is the weakest link in the chain.  

If you have enough servers and bandwidth, the firewall is often that
weakest link.





More information about the NANOG mailing list