[121060] in North American Network Operators' Group
RE: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Sat Jan 9 09:58:07 2010
From: "Stefan Fouant" <sfouant@shortestpathfirst.net>
To: =?iso-8859-2?Q?'=A3ukasz_Bromirski'?= <lukasz@bromirski.net>,
"'NANOG list'" <nanog@nanog.org>
In-Reply-To: <4B48642D.5070108@bromirski.net>
Date: Sat, 9 Jan 2010 09:57:27 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: =A3ukasz Bromirski [mailto:lukasz@bromirski.net]
> Sent: Saturday, January 09, 2010 6:11 AM
>=20
> You mean Juniper SRX? The biggest box is a 5800, and it can handle
> up to 350k new sessions each second, up to maximum of 10 million
> (let's skip the fact that it's not that simple as it would look from
> the data sheet and there are major obstacles from reaching the
> numbers).
With all due respect, I've been playing with the high end SRXs lately =
and I
have to say I've been incredibly impressed with the performance... I
recently did some performance testing on the SRX 5600s and I was able to
consistently observe it instantiating upwards of 150k new TCP sessions =
per
second. Does the SRX have some bugs... sure... that is to be expected =
with
a box which by all means is still relatively bleeding edge. I'm fairly
confident given a little time to stabilize the code, they will be able =
to
fix some of the obstacles you are describing above...
Having said that, I always laugh when I'm working with customers who =
have
been DoSed and their response is "Well, our firewall/load balancer has =
DDoS
mitigation capabilities...". Almost every firewall or load balancer =
device
I've worked with (Netscreen, SRX, Brocade, Fortinet) that had any sort =
of
DoS mitigation features was extremely limited in its capability. Most =
only
do session-based limiting towards a given destination IP, with the =
ultimate
result being that they simply rate-limit the traffic towards that
destination. This in itself ends up completing the attackers goal of
denying service (even if just a subset) towards a given IP. And these =
types
of features do nothing to assist with low-level attack traffic which =
require
surgical mitigation, not to mention a host of other attack vectors.
Firewalls do have their place in DDoS mitigation scenarios, but if used =
as
the "ultimate" solution you're asking for trouble.
Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
