I don't need no stinking firewall!

George Bonser gbonser at seven.com
Wed Jan 6 05:03:51 UTC 2010

> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins at arbor.net]
> Sent: Tuesday, January 05, 2010 8:53 PM
> To: NANOG list
> Subject: Re: I don't need no stinking firewall!
> On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
> >  Yes, you have to take some of the things that were done in one spot
> and do
> > them in different locations now, but the results are an amazing
> increase
> > in service capacity per dollar spent on infrastructure.
> I strongly agree with the majority of your comments, with the caveat
> that I've seen many, many load-balancers fall over due to state-
> exhaustion, too; load-balancers need northbound protection from DDoS
> (S/RTBH, flow-spec, IDMS, et. al.), as well.

Yes, I have seen load balancers fall over, too.  I have some interesting
stories of how those problems have been solved. Sometimes it relies on
using a feature of one vendor to leverage a feature of another vendor.
But I generally agree with you.  There is a lot that can be done ahead
of the load balancers.

More information about the NANOG mailing list