[c-nsp] rate limit dns
Dobbins, Roland
rdobbins at arbor.net
Thu Jan 2 21:30:48 EST 2014
On Jan 3, 2014, at 12:32 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
> With modern machines (from a few years back) you can track a lot of connections effortlessly.
I think you don't understand the scale of even small DDoS attacks in terms of state-tracking.
Stateful devices put in front of servers which are then DDoSed go down, taking down everything behind those stateful devices. I've seen 3mb/sec of spoofed SYN-flood take down a 20gb/sec stateful firewall; I've seen 10kpps of HOIC take down a 10gb/sec load-balancer.
This isn't theoretical or speculative.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list