[120932] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: I don't need no stinking firewall!

daemon@ATHENA.MIT.EDU (Mark Smith)
Wed Jan 6 09:47:31 2010

Date: Thu, 7 Jan 2010 01:16:43 +1030
From: Mark Smith <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <5625755B-96E4-4C24-AD7B-E0F2FD3ABC6C@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Wed, 6 Jan 2010 04:53:17 +0000
"Dobbins, Roland" <rdobbins@arbor.net> wrote:

> 
> On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
> 
> >  Yes, you have to take some of the things that were done in one spot and do
> > them in different locations now, but the results are an amazing increase
> > in service capacity per dollar spent on infrastructure.
> 
> I strongly agree with the majority of your comments, with the caveat that I've seen many, many load-balancers fall over due to state-exhaustion, too; load-balancers need northbound protection from DDoS (S/RTBH, flow-spec, IDMS, et. al.), as well.
> 

And that is the crux of the matter. Any time you maintain state in the
network (e.g. stateful firewalls), you're vulnerable to traffic based
attacks that can exhaust that state. The Internet is scalable because
the (soft) state that it maintains, namely route tables, isn't
dependent on or influenced by the traffic that is forwarded through it.

Hosts have to maintain state about their connections - there is no
choice. However, the more you're able to push state tracking to the
hosts, you end up with less consequences of state targeted attacks,
and more scalable architectures.




home help back first fref pref prev next nref lref last post