On Friday, February 6, 2015, Roland Dobbins <rdobb...@arbor.net> wrote:
> > On 6 Feb 2015, at 23:23, Darden, Patrick wrote: > > And when your opinion is an acknowledged universal constant, I will tip >> my hat to you. >> > > It's been a constant for the last couple of decades - I can't count the > number of times I've been involved in mitigating penny-ante DDoS attacks > which succeeded *solely* due to state exhaustion on stateful firewalls, > 'IPS' devices, and load-balancers. > > I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec > spoofed SYN-flood. > > I've seen a 10gb/sec commercial load-balancer taken down by 60 second at > 6kpps - yes, 6kpps - of HOIC. > > And so on, and so forth. > > 'Dismiss' it all you like, but it's a real issue, as others on this list > know from bitter experience. Hi, Roland is right. 99% of network based security products are pure snake oil. Patch you servers, know your base line, statelessly filter unwanted traffic, rtbh as needed, sleep well at night. Bye. > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> >