[120905] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jan 6 03:18:26 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Wed, 6 Jan 2010 08:12:46 +0000
In-Reply-To: <6eb799ab1001052347s6faddue4e9f6c1a5fea6d5@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 2:47 PM, James Hess wrote:
> "Overflowing the state table" then becomes only a possible
> outcome that has some acceptable level of probability, assuming
> that your other protections have already failed...
Wrong. The attacker just programmatically generates semantically-valid tra=
ffic which is indistinguishablle from real traffic, and crowds out the real=
traffic.
All those fancy timers and counters and what-not don't matter.
I've seen it done over and over again. Why some folks seem to think this i=
s theoretical or that I somehow haven't thought of something they think wil=
l prove to be a magic solution is really beyond me, heh.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
