D/DoS mitigation hardware/software needed.

Roger Marquis marquis at roble.com
Sun Jan 10 16:19:27 UTC 2010


> Then you need to get rid of that '90's antique web server and get
> something modern.  When you say "interrupt-bound hardware," all you
> are doing is showing that you're not familiar with modern servers
> and quality operating systems that are designed to mitigate things
> like DDoS attacks.

"Modern" servers?   IP is processed in the kernel on web servers,
regardless of OS.  Have you configured a kernel lately?  Noticed there
are ~3,000 lines in the Linux config file alone?  _Lots_ of device
drivers in there, which are interrupt driven and have to be timeshared.
No servers I know do realtime processing (RT kernels don't) or process IP
in ASICs.

What configurations of Linux / BSD / Solaris / etc does web / email / ntp
/ sip / iptables / ipfw / ... and doesn't have issues with kernel
locking?  Test it on your own servers by mounting a damaged DVD on the
root directory, and dd'ing it to /dev/null.  Notice how the ATA/SATA/SCSI
driver impacts the latency of everything on the system.  How would you
replicate that on a firmware and ASIC drive appliance?

Roger Marquis




More information about the NANOG mailing list