[177906] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Ca By)
Sat Feb 7 23:05:37 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <4715E281-B72B-4A1D-BE80-623C007D4CB4@arbor.net>
Date: Sat, 7 Feb 2015 20:05:29 -0800
From: Ca By <cb.list6@gmail.com>
To: Roland Dobbins <rdobbins@arbor.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Friday, February 6, 2015, Roland Dobbins <rdobbins@arbor.net> wrote:
>
> On 6 Feb 2015, at 23:23, Darden, Patrick wrote:
>
> And when your opinion is an acknowledged universal constant, I will tip
>> my hat to you.
>>
>
> It's been a constant for the last couple of decades - I can't count the
> number of times I've been involved in mitigating penny-ante DDoS attacks
> which succeeded *solely* due to state exhaustion on stateful firewalls,
> 'IPS' devices, and load-balancers.
>
> I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec
> spoofed SYN-flood.
>
> I've seen a 10gb/sec commercial load-balancer taken down by 60 second at
> 6kpps - yes, 6kpps - of HOIC.
>
> And so on, and so forth.
>
> 'Dismiss' it all you like, but it's a real issue, as others on this list
> know from bitter experience.
Hi,
Roland is right. 99% of network based security products are pure snake
oil. Patch you servers, know your base line, statelessly filter unwanted
traffic, rtbh as needed, sleep well at night.
Bye.
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>
