[121084] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sat Jan 9 23:09:59 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 10 Jan 2010 03:56:51 +0000
In-Reply-To: <75cb24521001091933y2cda673djad3cc4dbb242b798@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 10, 2010, at 10:33 AM, Christopher Morrow wrote:
> separate the portions of the pie... only let the attack break the minimal=
portion of your deployment. Use the right tool in the right place.
An excellent point. A Web front-end server should be that - merely the fro=
nt-end. Situationally-appropriate functional separation is a key architect=
ural principle.
Combine that with the measures outlined in <http://mailman.nanog.org/piperm=
ail/nanog/2010-January/016747.html>, coupled with a functionally-separated,=
bulkheaded DNS infrastructure pictured in <http://files.me.com/roland.dobb=
ins/m4g34u>, and one will end up with a much more robust, scalable, and def=
ensible system.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
