[121063] in North American Network Operators' Group
RE: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Sat Jan 9 10:41:26 2010
From: "Stefan Fouant" <sfouant@shortestpathfirst.net>
To: "'Dobbins, Roland'" <rdobbins@arbor.net>, "'NANOG list'" <nanog@nanog.org>
In-Reply-To: <EC0C7554-66BD-4966-A273-4769D0395958@arbor.net>
Date: Sat, 9 Jan 2010 10:40:52 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins@arbor.net]
> Sent: Saturday, January 09, 2010 10:03 AM
>
> On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote:
>
> > Firewalls do have their place in DDoS mitigation scenarios, but if
> used as
> > the "ultimate" solution you're asking for trouble.
>
> In my experience, their role is to fall over and die, without
> exception. I can't imagine what possible use a stateful firewall has
> being placed in front of servers under normal conditions, much less
> during a DDoS attack; it just doesn't make sense.
See the earlier post - what I'm referring to here is more along the lines of
stateless packet filters on upstream routers which can be triggered via
Flowspec or similar mechanisms... I'm not disagreeing with you here on the
other points and largely concur.
Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
