[177833] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Feb 6 11:32:16 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 06 Feb 2015 23:31:54 +0700
In-Reply-To: <12896a45c4544bd8802ef1204949fa3a@BRTEXMB02.phillips66.net>
Errors-To: nanog-bounces@nanog.org
On 6 Feb 2015, at 23:23, Darden, Patrick wrote:
> And when your opinion is an acknowledged universal constant, I will
> tip my hat to you.
It's been a constant for the last couple of decades - I can't count the
number of times I've been involved in mitigating penny-ante DDoS attacks
which succeeded *solely* due to state exhaustion on stateful firewalls,
'IPS' devices, and load-balancers.
I've seen a 20gb/sec commercial stateful firewall taken down by a
3mb/sec spoofed SYN-flood.
I've seen a 10gb/sec commercial load-balancer taken down by 60 second at
6kpps - yes, 6kpps - of HOIC.
And so on, and so forth.
'Dismiss' it all you like, but it's a real issue, as others on this list
know from bitter experience.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
