[121114] in North American Network Operators' Group
Re: D/DoS mitigation hardware/software needed.
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Jan 10 17:02:32 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 10 Jan 2010 21:56:38 +0000
In-Reply-To: <20100110165513.B733A2B2152@mx5.roble.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 10, 2010, at 11:55 PM, Roger Marquis wrote:
> The only thing you've said that is being disputed is the the claim that =
a firewall
> under a DDoS type of attack will fail before a server under the same type
> of attack.
It's so obvious that well-crafted programmatically-generated attack traffic=
, if nothing else, will crowd out the good traffic that I'm just dumbfounde=
d anyone thinks 'proof' of this is needed. Same thing for the fact that ho=
rizontally-scaled Web farm (with or without reverse caching proxies) will o=
f necessity handle a great deal more TCP state than the biggest, firewall m=
ade to date.
> * because it doesn't correlate with my 22 years of experience in systems
> administration and 14 years in netops (including Yahoo netsecops where I
> did use IXIAs to compile stats on FreeBSD and Linux packet filtering),
It doesn't correlate with my 25 years in the industry, a good portion of th=
e last 15 years spent handling DDoS after DDoS after DDoS, during which the=
biggest, baddest firewalls choked and died over and over again, through mu=
ltiple generations of said firewalls.
Again, I was able to take down a hardware-based (for whatever value of 'har=
dware-based' is possible) firewall rated at 2gb/sec with 80kpps of traffic.
> * it doesn't correlate with experience in large networks with multiple ge=
ographically disperse data centers where we did use Arbor, Cisco and Junipe=
r equipment,
It correlates with my experience in large networks with geographically-disp=
ersed IDCs with heterogeneous gear.
> * it doesn't correlate with server and firewall hardware and software de=
signs, and last but not least,
Which is a non-sequitur.
> * because you have shown no objective evidence to support the claim.
I've my own broad subjective experience, and that of several other people w=
ho've commented on this thread have similar experiences. Since you haven't=
yet acquired this subjective experience, you can cause it to happen in a c=
ontrolled test environment, should you so choose.
> Where then, can we find the results of your testing?
The testing I did when I worked for the vendor in question is proprietary, =
as you can well surmise. You're free to do your own testing and confirm th=
ese assertions for yourself.
> Nobody has "hurled insults" in this thread other than yourself Roland.
You accused me of acting in my own pecuniary interest, of trying to 'sell' =
things, *for no reason at all*.
> We just need some actual statistics.
If you actually care about the truth of the matter, you're free to generate=
your own. If you read the RoK/USA DDoS preso to which I linked, you see t=
he attack throughput and bandwidth metrics/host, and you also see where I n=
oted multiple 'Web Application Firewalls', load-balancers, and so-called 'I=
PS' falling over as a result of those attacks. That gives you a range righ=
t there, along with some attack traffic characteristics, including average =
packet size.
It makes no sense to put a stateful inspection device in front of servers, =
where *every single packet* is unsolicited, and therefore no state tracking=
is even possible in the first place. Stateless filters in hardware capabl=
e of mpps do a much better job, without the risk of falling over due to sta=
te-table exhaustion.
Folks who've been unlucky enough to be subjected to significant DDoS attack=
s have run into this issue again and again and again. Perhaps you've simpl=
y been lucky; but one can't count on one's luck holding forever.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
