I don't need no stinking firewall!

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jan 8 09:50:22 CST 2010


On Fri, 08 Jan 2010 08:22:00 EST, bill from home said:

> My question is at what size connection does a state table become 
> vulnerable, are we talking 1mb dsl's with a soho firewall?

Security - you're doing it wrong. ;)

The question you *should* be asking yourself is "at what size connection am I
enough of a network presence that I might attract attention from somebody who
might want to attack me?"  And that depends more on the *type* of presence than
the size of the pipe.

If you're a small electrical-components design firm that nobody's heard of, the
size of your state table is probably moot.  One of your users just drew the
attention of some random 4chan /b/tard, the size of the state table is again
probably moot. ;)

But to answer your question - it's so absurdly easy for a competent(*) attacker
to saturate any edge connection smaller than a gigabit or so, that 'state
table exhaustion' is only *really* an issue if you have a 10G or bigger
pipe.

(*) There is of course the case of an incompetent attacker who only has a
botnet of a few hundred machines, attacking a small pipe. At that point, it's
probably a crap shoot - if your firewall falls over, you've been DDoS'ed. But
if it doesn't fall over, you'll probably *still* be DDoS'ed because the machines
you're protecting fall over...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100108/25bbb88b/attachment.bin>


More information about the NANOG mailing list