D/DoS mitigation hardware/software needed.

Bill Blackford bill at billblackford.com
Tue Jan 5 04:09:40 UTC 2010

A lot of this has to do with scaling the environment. I've had plenty of
asa's and even netscreens fall over from state-table and session
limitations. I've also seen a hosts fill up the connection table prior to a
firewall being affected. I'm not familiar with the specs and anyone can
chime in, but the newer variety of SRX's, I believe implement more in
hardware as line-rate routers do. A layered approach is useful as well. If
the source can be identified via netflow and null routed before it gets to
the firewall and content layer, then all the better. This is much more
tricky with DDOS so having robust firewall that can eat traffic is helpful.

My 3 cents


On Mon, Jan 4, 2010 at 7:35 PM, Christopher Morrow
<morrowc.lists at gmail.com>wrote:

> On Mon, Jan 4, 2010 at 9:18 PM, jim deleskie <deleskie at gmail.com> wrote:
> > What Roland said, I've seen people do this, no rules in place, still
> > was able to kill the box (firewall) with a single CPU server.
> not to pile on, but... +1 to roland here as well. I've seen more than
> enough folks put in a 'firewall' in front of their 'server' (say a
> mail server) and then watch that die long before the rest of the
> system did.
> Now, if you have equipment capable today of doing a few million
> session creates/second and you feel comfortable that you can keep
> track of how attacks grow vs your capacity stays the same and move
> ahead of the curve well enough, then... by all means do as you want :)
> There's a cost analysis which Roland sidestepped here as well,
> state-tracking at the rates required is expensive, as compared to
> relatively simple acls in hardware with no state on the upstream
> router.
> Spend where it matters, and make sure you understand where the failure
> points are that you place into your network.
> -chris
> > -jim
> >
> > On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins at arbor.net>
> wrote:
> >>
> >> On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
> >>
> >>> Use a robust firewall such as a Netscreen in front of your mitigation
> >>> tool.
> >>
> >> Absolutely not - the firewall will fall over due to state-table
> exhaustion before the mitigation system will.  Firewalls (which have no
> place in front of servers in the first place), load-balancers, and any other
> stateful devices should be southbound of the mitigation system.
> >>
> >> -----------------------------------------------------------------------
> >> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> >>
> >>    Injustice is relatively easy to bear; what stings is justice.
> >>
> >>                        -- H.L. Mencken
> >>
> >>
> >>
> >>
> >>
> >
> >

Bill Blackford
Network Engineer

More information about the NANOG mailing list