[120801] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Mon Jan 4 22:13:33 2010
In-Reply-To: <16720fe01001041906x3832752jed167ab7e633ba4c@mail.gmail.com>
Date: Tue, 5 Jan 2010 08:43:01 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 5, 2010 at 8:36 AM, Jeffrey Lyon
<jeffrey.lyon@blacklotus.net> wrote:
> We have such a configuration in progress, it works great without any of the
> issues you're proposing.
So .. this is interesting.
The firewall would have to frontend your mail / web / whatever
application .. and if something goes beyond the firewall's rated
capacity (100k ++ - maybe nearly 150..175k connections per second for
a high end firewall), the firewall falls over.
And even before that, there's the risk of whatever application you're
protecting getting pounded flat if your firewall passes even a small
percentage of this traffic.
Do you -
1. Have (say) two firewalls in HA config?
2. Back your firewall with routing based measures, S/RTBH, blackhole
communities your upstream offers, etc [the standard nspsec bootcamp
stuff]
3. Simply back the firewall with a netflow based device?
4. Estimate that the risk of a DDoS that exceeds your firewall's rated
capacity is extremely low? [and yes, 150k ++ connections per second
ddos is going to be massive, and relatively rare for most people]
--srs
--
Suresh Ramasubramanian (ops.lists@gmail.com)
