D/DoS mitigation hardware/software needed.
marquis at roble.com
Sat Jan 9 20:03:25 CST 2010
Dobbins, Roland wrote:
>> Firewalls do have their place in DDoS mitigation scenarios, but if used as
>> the "ultimate" solution you're asking for trouble.
> In my experience, their role is to fall over and die, without
That hasn't been my experience but then I'm not selling anything that
might have a lower ROI than firewalls, in small to mid-sized
> I can't imagine what possible use a stateful firewall has being
> placed in front of servers under normal conditions, much less
> during a DDoS attack; it just doesn't make sense.
Firewalls are not designed to mitigate large scale DDoS, unlike Arbors,
but they do a damn good job of mitigating small scale attacks of all
kinds including DDoS. Firewalls actually do a better job for small to
medium sites whereas you need an Arbor-like solution for large scale
Firewalls do a good job of protecting servers, when properly configured,
because they are designed exclusively for the task. Their CAM tables,
realtime ASICs and low latencies are very much unlike the CPU-driven,
interrupt-bound hardware and kernel-locking, multi-tasking software on a
typical web server. IME it is a rare firewall that doesn't fail long,
long after (that's after, not before) the hosts behind them would have
otherwise gone belly-up.
Rebooting a hosed firewall is also considerably easier than repairing
corrupt database tables, cleaning full log partitions, identifying
zombie processes, and closing their open file handles.
Perhaps a rhetorical question but, does systems administration or
operations staff agree with netop's assertion they 'don't need no
More information about the NANOG