On Sun, Feb 8, 2015 at 2:05 AM, Ca By <cb.li...@gmail.com> wrote: > On Friday, February 6, 2015, Roland Dobbins <rdobb...@arbor.net> wrote: > > > > > On 6 Feb 2015, at 23:23, Darden, Patrick wrote: > > > > And when your opinion is an acknowledged universal constant, I will tip > >> my hat to you. > >> > > > > It's been a constant for the last couple of decades - I can't count the > > number of times I've been involved in mitigating penny-ante DDoS attacks > > which succeeded *solely* due to state exhaustion on stateful firewalls, > > 'IPS' devices, and load-balancers. > > > > I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec > > spoofed SYN-flood. > > > > I've seen a 10gb/sec commercial load-balancer taken down by 60 second at > > 6kpps - yes, 6kpps - of HOIC. > > > > And so on, and so forth. > > > > 'Dismiss' it all you like, but it's a real issue, as others on this list > > know from bitter experience. > > > > Hi, > > Roland is right. 99% of network based security products are pure snake > oil. Patch you servers, know your base line, statelessly filter unwanted > traffic, rtbh as needed, sleep well at night. > > Bye. >
Yeah, but Mr Tracanelli has a wider point. A firewall or IDS has its place near the core, due to exhaustion not taking core routing down and taking your availability away, while still adding security to it. While stateful firewall / IPS / proxy belongs somewhere else deeper in the network, closer to business logic than core/border. Mr Dobbins' slides/presentation gives an idea that a proxy (waf, whatever) fits sitting unprotected among routers and application servers, while its also stateful and fragile enough to deserve previous protection. > > > > ----------------------------------- > > Roland Dobbins <rdobb...@arbor.net> > > >
