D/DoS mitigation hardware/software needed.

Łukasz Bromirski lukasz at bromirski.net
Sat Jan 9 05:10:37 CST 2010


On 2010-01-05 03:17, Tim Eberhard wrote:
> Kinda funny you state that Roland. I know of at least two very large
> carriers that uses Netscreens (and soon SRX's) for their DoS/DDoS
> mitigation.

You mean Juniper SRX? The biggest box is a 5800, and it can handle
up to 350k new sessions each second, up to maximum of 10 million
(let's skip the fact that it's not that simple as it would look from
the data sheet and there are major obstacles from reaching the
numbers).

350kpps of TCP SYNs or whatever more wiser your botnet controller
will generate, coming to your Internet pipe is really a small,
very small DDoS. In terms of short packets like TCP SYN
it's only around 179Mbit/s worth of bandwidth.

Roland is right. Given finite resources to hold and process
stateful information, the stateful device on a packet way to protected
device is always vulnerable itself to become DDoSed. You can't discuss
the logic of that, you can only throw more capable boxes and of course
fail at some point.

-- 
"Everything will be okay in the end. |                  Łukasz Bromirski
 If it's not okay, it's not the end. |       http://lukasz.bromirski.net




More information about the NANOG mailing list