[121081] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sat Jan 9 22:29:30 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 10 Jan 2010 03:21:18 +0000
In-Reply-To: <20100110030507.4CEFA2B2161@mx5.roble.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 10, 2010, at 10:05 AM, Roger Marquis wrote:
> Ok, I'll bite. What firewalls are you referring to?
Hardware-based commercial firewalls from the major vendors, open-source/DIY=
, and anything in between. All stateful firewalls ever made, period (as di=
scussed previously in the thread).
> So then you're talking about CPU-driven firewalls, without ASICs e.g., co=
nsumer-level gear? Well, that would explain why you think they fail before=
the servers behind them.
You obviously haven't read the thread.
No, I'm not talking about little firewalls, and no, I don't 'think' anythin=
g - I *know* it, because I've seen it over and over again, including during=
my tenure at the largest commercial firewall vendor in the world.
See here for a high-profile example:
<http://files.me.com/roland.dobbins/k54qkv>
I've personally choked a hardware-based firewall rated at 2gb/sec with only=
80kpps of traffic from an old, PowerPC-based PowerBook, for example. And =
again, as noted repeatedly in the thread, all that's required to effectivel=
y DDoS servers behind firewalls is to programmatically generate well-formed=
, completely valid traffic which passes all the firewall rules/inspectors/w=
hat-have-you - enough to 'crowd out' legit traffic from legit users. =20
I strongly suggest reading the thread before commenting.
> Have you noticed how easily Drupal servers go down with corrupt MyISAM ta=
bles? How would S/RTBH and/or flow-spec protect against that?
We're talking about DDoS mitigation in order to keep the servers up and run=
ning, so that they don't go down ungracefully and corrupt anything in the f=
irst place.
Placing a stateful inspection device in a topological position where no sta=
teful inspection is possible due to every incoming packet being unsolicited=
makes zero sense whatsoever from an architectural standpoint, even without=
going into implementation-specific details.
Once again - read the thread.=20
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
