[120795] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Tim Eberhard)
Mon Jan 4 21:18:18 2010
In-Reply-To: <5D4753F2-3BCB-4F7A-A5B7-4EA600651368@arbor.net>
Date: Mon, 4 Jan 2010 20:17:49 -0600
From: Tim Eberhard <xmin0s@gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Kinda funny you state that Roland. I know of at least two very large
carriers that uses Netscreens (and soon SRX's) for their DoS/DDoS
mitigation.
State table exhaustion on the netscreen platform is something that is very
easy to protect against with some protections and hasn't been a problem for
years. If you can fill up a session table on a higher end SRX then I would
be very very impressed. I would argue that firewalls place is in fact
directly infront of servers and load balancers to protect them.
On Mon, Jan 4, 2010 at 8:04 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
> On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
>
> > Use a robust firewall such as a Netscreen in front of your mitigation
> > tool.
>
> Absolutely not - the firewall will fall over due to state-table exhaustion
> before the mitigation system will. Firewalls (which have no place in front
> of servers in the first place), load-balancers, and any other stateful
> devices should be southbound of the mitigation system.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
>
>
>
>
>
