[c-nsp] DNS rewrite & global capabilities
Roland Dobbins
rdobbins at arbor.net
Wed Jul 1 00:09:42 EDT 2009
On Jul 1, 2009, at 11:02 AM, Quinn Mahoney wrote:
> irewalls do have features,
> for instance, they can proxy a tcp-syn connection and not send it to
> the
> server if it doesn't get an ack.
Doesn't scale. Server alone handle this much better, even without syn-
cookies.
> Also they obviously block traffic, which is a security benefit.
So do stateless ACLs in hardware - much more efficiently.
> Also, what if the attack has spoofed source addresses, and is
> evasive of
> profiling. In other words, what are you going to null route. The
> ingress path of the attack packets would have to be traced and cut off
> at the border of upstream providers, killing legit traffic as well.
Appropriate detection/classification/traceback tools and S/RTBH handle
most of this; the rest is where intelligent DDoS mitigation
capabilities come into play. Stateful firewalls don't do this, and
the stateful part is what makes them fall down.
> An advanced firewall or load balancer (that multiplex's the
> connections) would be able to mitigate this attack.
Again, they a) don't do what you're asserting they do and b) don't
scale.
This isn't a matter of opinion, it's a matter of operational
experience and fact. Putting stateful firewalls in front of servers
is both unnecessary and counterproductive.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
More information about the cisco-nsp
mailing list