Thanks, The funny question would be: As a service provider, what recommendation would I get?
The basic setup I have now do contains netflow and basic analysis which helps to detect these issues. One of the ideas was to drop DDOS traffin on the EDGE of the network to lower the issues on the application level. Since the network is built with multi-layer FW from the EDGE to the host which drops specific IPs on-demand(very rarely done), We just block on the closest FW first to eliminate the application harassment and if the netflow analyze a bigger attack we block it on the EDGE. Sometimes clients do complain on a DOS attack but since the attack is not a DDOS the conclusion is that the client needs to use the local machine FW or application rules to prevent the issue. For a client that serves an in-country service I recommend to allow access only to the needed IPSETS on the machine-local FW. There are issues with that and many admins(the man that is in-charge on the machine and not always a read sysadmin)will not like the idea or just do not know\want to operate the machine-local FW. Thanks, Eliezer On 07/02/2014 12:41 AM, Olivier Cochard-Labbé wrote: > I try to avoid "statefull" firewall for protecting server farm: > statefull firewall was designed for protecting only "clients that > initiate traffic to unknown". > Try to put a statefull firewall in front of a DNS server as example: The > firewall will became the bottleneck long before the DNS server :-) > > And regarding DOS/DDOS: Once it enter your pipe, it's too late. You > should check with your SP the solution they propose for filtering this > traffic before it came to you. > > Regards, ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Bsdrp-users mailing list Bsdrp-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bsdrp-users
