[121074] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Roger Marquis)
Sat Jan 9 21:04:01 2010
Date: Sat, 9 Jan 2010 18:03:25 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: nanog@nanog.org
In-Reply-To: <mailman.1758.1263079674.817.nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dobbins, Roland wrote:
>> Firewalls do have their place in DDoS mitigation scenarios, but if used as
>> the "ultimate" solution you're asking for trouble.
>
> In my experience, their role is to fall over and die, without
> exception.
That hasn't been my experience but then I'm not selling anything that
might have a lower ROI than firewalls, in small to mid-sized
installations.
> I can't imagine what possible use a stateful firewall has being
> placed in front of servers under normal conditions, much less
> during a DDoS attack; it just doesn't make sense.
Firewalls are not designed to mitigate large scale DDoS, unlike Arbors,
but they do a damn good job of mitigating small scale attacks of all
kinds including DDoS. Firewalls actually do a better job for small to
medium sites whereas you need an Arbor-like solution for large scale
server farms.
Firewalls do a good job of protecting servers, when properly configured,
because they are designed exclusively for the task. Their CAM tables,
realtime ASICs and low latencies are very much unlike the CPU-driven,
interrupt-bound hardware and kernel-locking, multi-tasking software on a
typical web server. IME it is a rare firewall that doesn't fail long,
long after (that's after, not before) the hosts behind them would have
otherwise gone belly-up.
Rebooting a hosed firewall is also considerably easier than repairing
corrupt database tables, cleaning full log partitions, identifying
zombie processes, and closing their open file handles.
Perhaps a rhetorical question but, does systems administration or
operations staff agree with netop's assertion they 'don't need no
stinking firewall'?
Roger Marquis
