D/DoS mitigation hardware/software needed.

Dobbins, Roland rdobbins at arbor.net
Tue Jan 5 03:14:15 UTC 2010

On Jan 5, 2010, at 10:06 AM, Jeffrey Lyon wrote:

> We have such a configuration in progress, it works great without any of the issues you're proposing.

Then you aren't testing it to destruction, heh.


If it's a stateful firewall, and state-tracking is turned on, it's quite possible to craft sufficient pathological traffic which conforms to the firewall policies and yet which leads to state-table inspection.  

And the stateful firewall serves no purpose in front of servers, in which *every incoming packet* is unsolicited.  Far more sensible to enforce policy in stateless ACLs in ASIC-based router/switch hardware.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the NANOG mailing list