[c-nsp] DNS rewrite & global capabilities
Roland Dobbins
rdobbins at arbor.net
Wed Jul 1 01:24:27 EDT 2009
On Jul 1, 2009, at 12:09 PM, Quinn Mahoney wrote:
> Without a firewall proxying the tcp connection? That would depend
> on how many servers
> there are and what the firewalls can handle. The server never gets
> traffic from the spoofed addresses with the firewall, or from a
> load-balancer that multiplex's the tcp connections.
There isn't a firewall made which has the capacity to handle this more
efficiently than a well-configured server or server farm.
> I wouldn't say much more efficiently, since more advanced load
> balancers
> and firewalls route via asic's and fpga's.
I certainly would, and do; they none of them run into the mpps, as
routers can and do.
> If the packet is the same as a normal request but a spoofed address,
> you're going to have some trouble even with automated systems looking
> for no syn/ack, and then hunting the source down and automatically
> blocking the true sources at the ingress of the upstreams.
Not with appropriate detection/classification/traceback tools. This
isn't new technology.
And blocking at the edges isn't generally accomplished automatically,
but manually, upon demand. Intelligent DDoS mitigation devices can
and do black automatically.
> That's even if such an effective system actually existed.
They do, see above.
> While the load-balancer or advanced firewall never sent the
> connection to the server, and the
> device is designed to be able to handle allocating memory for bogus
> connections.
They never send the legitimate traffic, either, being overwhelmed by
the DDoS.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
More information about the cisco-nsp
mailing list