[121079] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Roger Marquis)
Sat Jan 9 22:05:41 2010
Date: Sat, 9 Jan 2010 19:05:07 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: nanog@nanog.org
In-Reply-To: <mailman.1766.1263090558.817.nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dobbins, Roland wrote:
>> Firewalls are not designed to mitigate large scale DDoS, unlike
>> Arbors, but they do a damn good job of mitigating small scale
>> attacks of all kinds including DDoS.
>
> Not been my experience at all - quite the opposite.
Ok, I'll bite. What firewalls are you referring to?
>> Their CAM tables, realtime ASICs and low latencies are very
>> much unlike the CPU-driven, interrupt-bound hardware and
>> kernel-locking, multi-tasking software on a typical web server.
>> IME it is a rare firewall that doesn't fail long, long after
>> (that's after, not before) the hosts behind them would have
>> otherwise gone belly-up.
>
> Completely incorrect on all counts.
So then you're talking about CPU-driven firewalls, without ASICs e.g.,
consumer-level gear? Well, that would explain why you think they fail
before the servers behind them.
>I've been a sysadmin
Have you noticed how easily Drupal servers go down with corrupt MyISAM
tables? How would S/RTBH and/or flow-spec protect against that?
Roger Marquis
