[121031] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jan 8 10:51:39 2010
To: bill from home <bill@kruchas.com>
In-Reply-To: Your message of "Fri, 08 Jan 2010 08:22:00 EST."
<4B473178.7010100@kruchas.com>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 08 Jan 2010 10:50:22 -0500
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1262965822_4864P
Content-Type: text/plain; charset=us-ascii
On Fri, 08 Jan 2010 08:22:00 EST, bill from home said:
> My question is at what size connection does a state table become
> vulnerable, are we talking 1mb dsl's with a soho firewall?
Security - you're doing it wrong. ;)
The question you *should* be asking yourself is "at what size connection am I
enough of a network presence that I might attract attention from somebody who
might want to attack me?" And that depends more on the *type* of presence than
the size of the pipe.
If you're a small electrical-components design firm that nobody's heard of, the
size of your state table is probably moot. One of your users just drew the
attention of some random 4chan /b/tard, the size of the state table is again
probably moot. ;)
But to answer your question - it's so absurdly easy for a competent(*) attacker
to saturate any edge connection smaller than a gigabit or so, that 'state
table exhaustion' is only *really* an issue if you have a 10G or bigger
pipe.
(*) There is of course the case of an incompetent attacker who only has a
botnet of a few hundred machines, attacking a small pipe. At that point, it's
probably a crap shoot - if your firewall falls over, you've been DDoS'ed. But
if it doesn't fall over, you'll probably *still* be DDoS'ed because the machines
you're protecting fall over...
--==_Exmh_1262965822_4864P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFLR1Q+cC3lWbTT17ARAmloAKDN9V9/SlZ9H4eP0Y03dx9ThCQrWACglGda
l8JharVB0yMJZHBqthxpXM8=
=X0VZ
-----END PGP SIGNATURE-----
--==_Exmh_1262965822_4864P--
