On 10/23/07, ropers <[EMAIL PROTECTED]> wrote: > > On 23/10/2007, Tony Sarendal <[EMAIL PROTECTED]> wrote: > > On 10/23/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > > > > I didn't get that opinion from marketing. > > > > No matter, we disagree, lets leave it at that. > > > > > > well, yeah, nontheless, I wanna point out the essence why stateful is > > > better (the way we do it in OpenBSD): > > > > > > 1) it moves the limit where the box starts to suffer from overload > quite > > > far, or, in other words, the box can handle a much larger amount of > > > traffic before it starts to drop stuff. thus it can withstand > bigger > > > amounts of (D)DoS too. > > > 2) once it gets to that point, it is more selective in dropping > packets > > > than a stateless box, as it prefers established connections. this > > > behaviour cannot be valued enough in (D)DoS type of situations. > > > > > > I wish to implement things in a way where the link is the limitation, > > not the box. But there is no point in re-doing that discussion. > > > > When I have some time free I'll test it in the lab to see that > difference in > > behaviour. > > I know very little, but I would like to note that some providers ( > http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the > express purpose of offering dDoS protection. That has to count for > something. > > OTOH, Henning's word alone would be enough for me, because AFAIK > Henning wrote actual pertinent code and knows darn friggin well what > he's talking about. Did you contribute as much code to OpenBSD/pf as > Henning? Are you sure your understanding is deeper than his? (No > offense, by the way, all in good humour.)
Henning has committed more code than me. If you count in percent infinetly more. Does that mean that I don't know what I'm talking about ? I use OpenBSD because I like it, I think it is the best project I can find on the net. I don't belive a fan-boy attitude is an asset to the project, that is what you are contributing right now. This is a view of the a external peering link where I work now: 5 minute input rate 6165205000 bits/sec, 1036946 packets/sec 5 minute output rate 3134466000 bits/sec, 1000242 packets/sec One link out of many, no DDOS going on. Maybe I should stick a rayserver on it. Correct me if I'm wrong, but Henning needs someone to argue with him and pester him. /Tony
