D/DoS mitigation hardware/software needed.

Roger Marquis marquis at roble.com
Sun Jan 10 16:55:13 UTC 2010

Dobbins, Roland wrote:
>My employer's products don't compete with firewalls, they *protect* them;
>if anything, it's in my pecuniary interest to *encourage* firewall
>deployments, so said firewalls will fall down and need protection, heh.

Nobody's disputing that Roland, or the fact that different specialized
appliances will protect against different perimeter attacks.  The only
thing you've said that is being disputed is the the claim that a firewall
under a DDoS type of attack will fail before a server under the same type
of attack.

I question this claim for several reasons.

  * because it doesn't correlate with my 22 years of experience in systems
  administration and 14 years in netops (including Yahoo netsecops where I
  did use IXIAs to compile stats on FreeBSD and Linux packet filtering),

  * it doesn't correlate with experience in large networks with multiple
  geographically disperse data centers where we did use Arbor, Cisco and
  Juniper equipment,

  * it doesn't correlate with server and firewall hardware and software
  designs, and last but not least,

  * because you have shown no objective evidence to support the claim.

> I did this kind of testing when I worked for the largest
> manufacturer of firewalls in the world

Where then, can we find the results of your testing?

> Here's the thing; you're simply mistaken, and you hurl insults
> instead of listening to the multiple people on this
> thread who have vastly more large-scale Internet experience than
> you do and who concur with these prescriptions.

Nobody has "hurled insults" in this thread other than yourself Roland.
Shame on you for such disreputable tactics.  To make the case you need
more than repeated dismissal of requests for evidence and repeated
unsupported claims of "vast experience" with failing servers and
firewalls.  We just need some actual statistics.

Roger Marquis

More information about the NANOG mailing list