D/DoS mitigation hardware/software needed.

Joe Greco jgreco at ns.sol.net
Sun Jan 10 08:40:51 CST 2010


> Firewalls do a good job of protecting servers, when properly configured,
> because they are designed exclusively for the task.  Their CAM tables,
> realtime ASICs and low latencies are very much unlike the CPU-driven,
> interrupt-bound hardware and kernel-locking, multi-tasking software on a
> typical web server.  IME it is a rare firewall that doesn't fail long,
> long after (that's after, not before) the hosts behind them would have
> otherwise gone belly-up.

Then you need to get rid of that '90's antique web server and get
something modern.  When you say "interrupt-bound hardware," all you
are doing is showing that you're not familiar with modern servers
and quality operating systems that are designed to mitigate things
like DDoS attacks.

"Stateful filtering" is to firewalls what "interrupt-based packet
processing" is to web servers.  Both are recipes for disaster.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list