I don't need no stinking firewall!

Arie Vayner arievayner at gmail.com
Fri Jan 8 08:21:34 UTC 2010

What is nice about load balancers is that if you design your solution
correctly, you can scale them in a very nice way. Things like direct server
return, where only the requests hit the load balancer, but the replies
(which are usually larger) just route back directly to the client can free
up resources on the load balancer to handle more complex policies.
This also reduces the imposed symmetry for routing that firewalls bring to
the table.

Further on, if you want to really protect against a real DDoS you would most
likely would have to look at a really distributed solution, where the
different geographical load balancing solutions come into play.


On Wed, Jan 6, 2010 at 7:03 AM, George Bonser <gbonser at seven.com> wrote:

> > -----Original Message-----
> > From: Dobbins, Roland [mailto:rdobbins at arbor.net]
> > Sent: Tuesday, January 05, 2010 8:53 PM
> > To: NANOG list
> > Subject: Re: I don't need no stinking firewall!
> >
> >
> > On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
> >
> > >  Yes, you have to take some of the things that were done in one spot
> > and do
> > > them in different locations now, but the results are an amazing
> > increase
> > > in service capacity per dollar spent on infrastructure.
> >
> > I strongly agree with the majority of your comments, with the caveat
> > that I've seen many, many load-balancers fall over due to state-
> > exhaustion, too; load-balancers need northbound protection from DDoS
> > (S/RTBH, flow-spec, IDMS, et. al.), as well.
> >
> Yes, I have seen load balancers fall over, too.  I have some interesting
> stories of how those problems have been solved. Sometimes it relies on
> using a feature of one vendor to leverage a feature of another vendor.
> But I generally agree with you.  There is a lot that can be done ahead
> of the load balancers.

More information about the NANOG mailing list