[120803] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Jan 4 22:19:58 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 5 Jan 2010 03:14:15 +0000
In-Reply-To: <16720fe01001041906x3832752jed167ab7e633ba4c@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 10:06 AM, Jeffrey Lyon wrote:
> We have such a configuration in progress, it works great without any of t=
he issues you're proposing.
Then you aren't testing it to destruction, heh.
;>
If it's a stateful firewall, and state-tracking is turned on, it's quite po=
ssible to craft sufficient pathological traffic which conforms to the firew=
all policies and yet which leads to state-table inspection. =20
And the stateful firewall serves no purpose in front of servers, in which *=
every incoming packet* is unsolicited. Far more sensible to enforce policy=
in stateless ACLs in ASIC-based router/switch hardware.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
