D/DoS mitigation hardware/software needed.

Dobbins, Roland rdobbins at arbor.net
Tue Jan 5 02:24:00 UTC 2010

On Jan 5, 2010, at 9:17 AM, Tim Eberhard wrote:

>  I would argue that firewalls place is in fact directly infront of servers and load balancers to protect them.

The very idea of placing a stateful firewall in front of a Web/DNS/email/etc. server, in which *every single incoming packet is unsolicited, and therefore, leaves no state to be inspected in the first place*, is absurd.

There is simply no valid argument for doing so.  Hardening the OS/apps/services, combined with stateless ACLs in hardware which can handle mpps, is the way to enforce policy.

In fact, the idea is such a poor one that one of the major firewall vendors came out with a 'stateful inspection bypass' feature - the idea being that, you buy their 10gb/sec, $100K-plus stateful firewall, stick it in front of servers, and then . . . disable the stateful inspection, heh.


None of the large, well-known Web properties on the Internet today - at least, the ones which stay up and running, heh - have stateful firewalls in front of them.  Including prominent vendors of said stateful firewall solutions.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the NANOG mailing list