D/DoS mitigation hardware/software needed.

Roger Marquis marquis at roble.com
Sat Jan 9 20:03:25 CST 2010


Dobbins, Roland wrote:
>> Firewalls do have their place in DDoS mitigation scenarios, but if used as
>> the "ultimate" solution you're asking for trouble.
>
> In my experience, their role is to fall over and die, without
> exception.

That hasn't been my experience but then I'm not selling anything that
might have a lower ROI than firewalls, in small to mid-sized
installations.

> I can't imagine what possible use a stateful firewall has being
> placed in front of servers under normal conditions, much less
> during a DDoS attack; it just doesn't make sense.

Firewalls are not designed to mitigate large scale DDoS, unlike Arbors,
but they do a damn good job of mitigating small scale attacks of all
kinds including DDoS.  Firewalls actually do a better job for small to
medium sites whereas you need an Arbor-like solution for large scale
server farms.

Firewalls do a good job of protecting servers, when properly configured,
because they are designed exclusively for the task.  Their CAM tables,
realtime ASICs and low latencies are very much unlike the CPU-driven,
interrupt-bound hardware and kernel-locking, multi-tasking software on a
typical web server.  IME it is a rare firewall that doesn't fail long,
long after (that's after, not before) the hosts behind them would have
otherwise gone belly-up.

Rebooting a hosed firewall is also considerably easier than repairing
corrupt database tables, cleaning full log partitions, identifying
zombie processes, and closing their open file handles.

Perhaps a rhetorical question but, does systems administration or
operations staff agree with netop's assertion they 'don't need no
stinking firewall'?

Roger Marquis




More information about the NANOG mailing list