[121093] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Jan 10 01:47:02 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 10 Jan 2010 06:45:50 +0000
In-Reply-To: <20100110062727.0821E2B2163@mx5.roble.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 10, 2010, at 1:27 PM, Roger Marquis wrote:
> Reads like a sales pitch to me.
My employer's products don't compete with firewalls, they *protect* them; i=
f anything, it's in my pecuniary interest to *encourage* firewall deploymen=
ts, so said firewalls will fall down and need protection, heh.
Teaching people how to design their server farms, harden their network infr=
astructure, and deploy S/RTBH and flow-spec isn't selling anything. Only s=
omeone with ulterior motives would claim otherwise.
This isn't 'selling' anything, either:
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
So, this line of attack falls flat, and merely comes across as unjustified,=
uninformed, foolish and petty.
> Your presentation makes a good case for Arbor-type defenses, against a ce=
rtain type of attack, but it doesn't
> make the case you're referring to.
S/RTBH and flow-spec aren't 'Arbor-type defenses', and I had a long track r=
ecord of making the case for all of these things for many years before I ev=
er worked for Arbor. =20
>=20
> What would convince me is an IXIA on a subnet with ten hosts running a
> db-bound LAMP stack. Plot the failure points under different loads.
> Then add an ASA or Netscreen and see what fails under the same loads.
Then hop to it. I did this kind of testing when I worked for the largest m=
anufacturer of firewalls in the world, so I've no need to repeat it.
> Which is basically claiming that the general purpose web server, running
> multiple applications, is more capable of inspecting every incoming packe=
t
> than hardware specifically designed for the task and doing only the task
> it was designed for.
Properly tuned, yes.
Here's the thing; you're simply mistaken, and you hurl insults instead of l=
istening to the multiple people on this thread who have vastly more large-s=
cale Internet experience than you do and who concur with these prescription=
s. That's your prerogative; and it's my prerogative to grow tired repeatin=
g the same points which have already been made earlier in this and other th=
reads, when they fall on biased, deaf ears. If you choose not to read and =
understand and learn from the broader experiences of others, that's up to y=
ou. I'm done.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
