I don't need no stinking firewall!

Dobbins, Roland rdobbins at arbor.net
Mon Jan 11 00:15:35 CST 2010


On Jan 11, 2010, at 12:56 PM, George Bonser wrote:

>  One would probably have a load balancer of some sort in front of those machines.  That is the device that would be fielding any DoS.

Yes, and as you've noted previously, it should be protected via stateless ACLs in hardware capable of handling mpps, S/RTBH, flow-spec, IDMS, whatever.  And of course the load-balancer should also be fronted by a reverse-proxy cache farm, if the servers in question are Web servers.

> I have a feeling you are talking about relatively small amounts of traffic.  

I believe that these comments were more along the lines of 'servers can better handle this that stateful firewalls', not ruling out the use of load-balancers, reverse-proxy caches, etc. as appropriate.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken







More information about the NANOG mailing list