I don't need no stinking firewall!

Joel Jaeggli joelja at bogus.com
Fri Jan 8 21:40:49 UTC 2010

bill from home wrote:
> All,
>    This thread certainly has been educational, and has changed my
> perception of what an appropriate outward facing architecture should be.
> But seldom do I have the luxury of designing this from scratch, and also
> the networks I administer are "small business's".
> My question is at what size connection does a state table become
> vulnerable, are we talking 1mb dsl's with a soho firewall?

some numbers,

100Mb/s will carry 220Kpps worth of 64byte packets, if this is a fairly
simple syn attack and your firewall can support 100k new connections a
second (that's a fairly fast firewall), you need less than 50Mb/s to
nuke it... the maximum size of the state table on a linux derived system
with 4GB of ram is north of a million connections so assuming the
session rate of the dos is trackable your firewall needs to start aging
connections out in an accelerated fashion after about 4 seconds
otherwise you're similarly hosed...

given the same firewall can probably forward 2-3mpps when it comes to
small packet you run out of state long before your run out of forwarding

Some kind of firewall device that you might put in front of a business
cable connection, or fractional ethernet is like to support a much lower
connection rate embedded Pentium equivalent or low to mid-range mips
might support a rate of 2-10k connections per second at which point the
thresh-hold for dosing it based on session rate is quite a bit lower
(quite a bit lower than that of a webserver or dekstop pc for example).
i.e. if 10kpps of dos will take it out that's like 5Mb/s on a device
that might other wise be able to forward 300-500Mb/s interface to
interface using large packet.

> Or as I suspect we are talking about a larger scale?
> I know there are variables, I am just looking for a "rule of thumb".
> I would not want to recommend a change if it is not warranted.
> But when fatter and fatter pipes become available at what point would a
> change be warranted.
> Thanks
> Bill Kruchas
> Dobbins, Roland wrote:
>> On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote:
>>> Further on, if you want to really protect against a real DDoS you
>>> would most likely would have to look at a really distributed
>>> solution, where the different geographical load balancing solutions
>>> come into play.
>> GSLB or whatever we want to call it is extremely useful from a general
>> availability standpoint; however, the attackers can always scale up
>> and really distribute their already-DDoS even further (they learned
>> about routeservers and DNS tinkering years ago). 
>> Architecture, visibility, and control are key, as are
>> vendor/customer/peer/upstream/opsec community relationships.
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>     Injustice is relatively easy to bear; what stings is justice.
>>                         -- H.L. Mencken

More information about the NANOG mailing list