I don't need no stinking firewall!
bjohnson at drtel.com
Wed Jan 6 19:29:39 UTC 2010
> -----Original Message-----
> From: Brian Keefer [mailto:chort at smtps.net]
> Sent: Wednesday, January 06, 2010 11:38 AM
> To: Brian Johnson
> Cc: NANOG list
> Subject: Re: I don't need no stinking firewall!
> On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
> > Like Roland, I've been doing
> > this for over a decade as well, and I have seen some pretty strange
> > things, even a statefull firewall in front of servers with IPS
> > work.
> What do you mean by "work"? If you mean "all three pieces ran for
> years without being seriously attacked", then that's really not the
> same thing as "continued to perform assigned duties effectively in the
> face of a determined DDoS".
By work I mean that it held-up under DDoS attack. The size of a DDoS
attack is the question. If I have enough resources a person can DDoS an
entire network, irrelevant of its equipment, that will make the network
un-usable and unreachable. Statefull firewall or not. They simply need
to fill up the inbound connection with traffic so that nothing else gets
If your point is given unlimited inbound bandwidth that a stateful
firewall will fail (not work correctly), I can say that about any piece
of equipment. And even if it does fail, does it matter if your
connection is full of useless traffic?
DDoS attacks are not designed to compromise or gather data about
networks. DDoS is the sledge hammer of the dubious to cause disruption.
It doesn't matter what you put in there (Statefull Firewall, IDS, IPS,
Router ACLS, et al...), if the connection is flooded, the network will
be unreachable. Does it matter if the equipment can't handle it if no
good traffic, that would need to be statefully inspected, is traversing
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
More information about the NANOG