[120796] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (jim deleskie)
Mon Jan 4 21:20:20 2010
In-Reply-To: <5D4753F2-3BCB-4F7A-A5B7-4EA600651368@arbor.net>
Date: Mon, 4 Jan 2010 22:18:28 -0400
From: jim deleskie <deleskie@gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
What Roland said, I've seen people do this, no rules in place, still
was able to kill the box (firewall) with a single CPU server.
-jim
On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins@arbor.net> wrote=
:
>
> On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
>
>> Use a robust firewall such as a Netscreen in front of your mitigation
>> tool.
>
> Absolutely not - the firewall will fall over due to state-table exhaustio=
n before the mitigation system will. =A0Firewalls (which have no place in f=
ront of servers in the first place), load-balancers, and any other stateful=
devices should be southbound of the mitigation system.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> =A0 =A0Injustice is relatively easy to bear; what stings is justice.
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-- H.L. Mencken
>
>
>
>
>
