D/DoS mitigation hardware/software needed.

Christopher Morrow morrowc.lists at gmail.com
Mon Jan 4 21:35:42 CST 2010


On Mon, Jan 4, 2010 at 9:18 PM, jim deleskie <deleskie at gmail.com> wrote:
> What Roland said, I've seen people do this, no rules in place, still
> was able to kill the box (firewall) with a single CPU server.

not to pile on, but... +1 to roland here as well. I've seen more than
enough folks put in a 'firewall' in front of their 'server' (say a
mail server) and then watch that die long before the rest of the
system did.

Now, if you have equipment capable today of doing a few million
session creates/second and you feel comfortable that you can keep
track of how attacks grow vs your capacity stays the same and move
ahead of the curve well enough, then... by all means do as you want :)

There's a cost analysis which Roland sidestepped here as well,
state-tracking at the rates required is expensive, as compared to
relatively simple acls in hardware with no state on the upstream
router.

Spend where it matters, and make sure you understand where the failure
points are that you place into your network.

-chris

> -jim
>
> On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>>
>> On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
>>
>>> Use a robust firewall such as a Netscreen in front of your mitigation
>>> tool.
>>
>> Absolutely not - the firewall will fall over due to state-table exhaustion before the mitigation system will.  Firewalls (which have no place in front of servers in the first place), load-balancers, and any other stateful devices should be southbound of the mitigation system.
>>
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>
>>    Injustice is relatively easy to bear; what stings is justice.
>>
>>                        -- H.L. Mencken
>>
>>
>>
>>
>>
>
>




More information about the NANOG mailing list