D/DoS mitigation hardware/software needed.

Manolo Hernandez mhernand1 at comcast.net
Sun Jan 10 17:15:11 UTC 2010

From someone who mostly lerks but has been in network engineering operations biz for 17 years, the only OS that seems to always keel over under a ddos and need a firewall is windows. Linux in its current incarnation can handle a substantially larger attack before needing mitigation by firewall type device. 

   So in the end I believe its the environment dictates the use of products unless you have aformentioned windows os which for me has always necessitated a firewall.

Sent  from my BlackBerry

-----Original Message-----
From: Roger Marquis <marquis at roble.com>
Date: Sun, 10 Jan 2010 08:55:13 
To: <nanog at nanog.org>
Subject: Re: D/DoS mitigation hardware/software needed.

Dobbins, Roland wrote:
>My employer's products don't compete with firewalls, they *protect* them;
>if anything, it's in my pecuniary interest to *encourage* firewall
>deployments, so said firewalls will fall down and need protection, heh.

Nobody's disputing that Roland, or the fact that different specialized
appliances will protect against different perimeter attacks.  The only
thing you've said that is being disputed is the the claim that a firewall
under a DDoS type of attack will fail before a server under the same type
of attack.

I question this claim for several reasons.

  * because it doesn't correlate with my 22 years of experience in systems
  administration and 14 years in netops (including Yahoo netsecops where I
  did use IXIAs to compile stats on FreeBSD and Linux packet filtering),

  * it doesn't correlate with experience in large networks with multiple
  geographically disperse data centers where we did use Arbor, Cisco and
  Juniper equipment,

  * it doesn't correlate with server and firewall hardware and software
  designs, and last but not least,

  * because you have shown no objective evidence to support the claim.

> I did this kind of testing when I worked for the largest
> manufacturer of firewalls in the world

Where then, can we find the results of your testing?

> Here's the thing; you're simply mistaken, and you hurl insults
> instead of listening to the multiple people on this
> thread who have vastly more large-scale Internet experience than
> you do and who concur with these prescriptions.

Nobody has "hurled insults" in this thread other than yourself Roland.
Shame on you for such disreputable tactics.  To make the case you need
more than repeated dismissal of requests for evidence and repeated
unsupported claims of "vast experience" with failing servers and
firewalls.  We just need some actual statistics.

Roger Marquis

More information about the NANOG mailing list