I don't need no stinking firewall!

William Pitcock nenolod at systeminplace.net
Wed Jan 6 08:03:20 UTC 2010

On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote:
> On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
> > On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote:
> > DDoS attacks are attacks against capacity and/or state.  Start reducing
> DDoS,  by its very nature is a type of attack that dances around
> common security measures  like  conventional firewalls, by its very
> nature.
> The possibility of someone dropping a nuke on your facility,
> shouldn't stop you from locking your doors at night.
> If necessary, use another arrangement to detect that threat, and
> protect firewall+servers from it.

DDoS mitigation gear tends to choke up in my experience.  It's a really
touchy subject.

> Having no 'firewall' type safeguard at all  (stateless or otherwise)
> would appear pretty risky.

Not really, because firewalls don't do anything useful.  Stateless ACL
policies do something useful, and usually that is handled in the router
in a modern network.  The other features of a firewall range from not so
useful to actively harmful.

> > Because, by definition, all incoming packets to the server are unsolicited.
> For UDP servers sure..  not for TCP..  the initial SYN is unsolicited,
> for inbound  TCP connections.  Once the server acknowledges the
> connection by invoking  accept(),  the rest of it the packets are
> solicited,  the packets are either part of an active connection,  or
> unwanted.

Wrong.  You seem to assume that TCP stacks are well-behaved, or that
botnets aren't just synthesizing junk.  I've seen unsolicited ACK floods
before.  They are quite real.  So, in fact, all incoming packets should
be considered unsolicited until proven otherwise.

It should be mentioned that DDoS mitigation gear in use on that network
let those packets through without even alerting us about it.


More information about the NANOG mailing list