On Apr 26, 2013, at 7:23 PM, Joe Abley wrote: > The number of stateful firewalls that can happily handle occasional flows of > up to 100,000 flows per second two/from individual devices are few. "Yours > probably isn't one of them."
I've seen 3mb/sec of spoofed SYN-flood take down a stateful firewall rated at 20gb/sec - DDoS, deliberate or inadvertent, means that no stateful firewall which could practically be constructed now or in the foreseeable future could handle this. What's more, it's unnecessary - since every incoming connection is unsolicited, there's no state to inspect in the first place. Operators should use stateless ACLs in hardware-based routers/layer-3 switches to instantiate network access policies (I know you know all this, just posting it for the sake of completeness). ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
