> > And I don't believe anyone is necessarily advocating exposing > individual > > servers directly to the internet either. > > Actually, some of us are.
That can be difficult to do when you have maybe 300 or 400 servers that handle one service. Let's say you have a site called www.foobar.com and you have several hundred servers on the front end that handle that domain. You aren't going to put several hundred A records in DNS; at least I hope you aren't. One would probably have a load balancer of some sort in front of those machines. That is the device that would be fielding any DoS. > > There are other devices that > > can handle isolation of the servers and protect them against such > things > > as syn floods. > > What is the point of that when the servers can do it themselves? I have a feeling you are talking about relatively small amounts of traffic.
