I don't need no stinking firewall!
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Jan 8 15:50:22 UTC 2010
On Fri, 08 Jan 2010 08:22:00 EST, bill from home said:
> My question is at what size connection does a state table become
> vulnerable, are we talking 1mb dsl's with a soho firewall?
Security - you're doing it wrong. ;)
The question you *should* be asking yourself is "at what size connection am I
enough of a network presence that I might attract attention from somebody who
might want to attack me?" And that depends more on the *type* of presence than
the size of the pipe.
If you're a small electrical-components design firm that nobody's heard of, the
size of your state table is probably moot. One of your users just drew the
attention of some random 4chan /b/tard, the size of the state table is again
probably moot. ;)
But to answer your question - it's so absurdly easy for a competent(*) attacker
to saturate any edge connection smaller than a gigabit or so, that 'state
table exhaustion' is only *really* an issue if you have a 10G or bigger
pipe.
(*) There is of course the case of an incompetent attacker who only has a
botnet of a few hundred machines, attacking a small pipe. At that point, it's
probably a crap shoot - if your firewall falls over, you've been DDoS'ed. But
if it doesn't fall over, you'll probably *still* be DDoS'ed because the machines
you're protecting fall over...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100108/25bbb88b/attachment.sig>
More information about the NANOG
mailing list