On Dec 8, 2010, at 10:10 PM, Thomas Mangin wrote:
Until this is sorted I believe flowspec will be a marginal solution.
We're seeing a significant uptick in flowspec interest, actually, and S/RTBH
has been around for ages.
On Dec 8, 2010, at 10:36 PM, Thomas Mangin wrote:
If you are a smaller network, you need the filtering to be performed by your
transit provider, as your uplink will otherwise be congested.
Actually, most DDoS attacks aren't link-flooding attacks - this hasn't been
true for the last ~7 years
On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
But even for simple flood attacks, I still think that the target has
very few defence mechanisms, and those that exists require a complex
coordination with upstreams.
This is demonstrably incorrect.
On Dec 8, 2010, at 11:38 PM, Jack Bates wrote:
I think the difference here is scale. packet-flooding attacks often do
fill links; if the links drop to 155mb/s or below.
I'm not saying that link-flooding attacks don't happen; they certainly do, and
on very big links, sometimes.
But in the
On Dec 8, 2010, at 11:47 PM, Jay Coley wrote:
This has been our recent experience as well.
I see a link-filling attacks with some regularity; but again, what I'm saying
is simply that they aren't as prevalent as they used to be, because the
attackers don't *need* to fill links in order to
On Dec 9, 2010, at 1:34 AM, Matthew Petach wrote:
There seems to be a trend of using larger-scale flooding, or other simple
types of attacks to get all the network people at an organization
rushing over to throw resources and energy at it.
Concur, the more serious attackers use diversionary
On Dec 9, 2010, at 2:19 AM, Chris Boyd wrote:
Your BGP peer router would need to have lots of memory for /32 or /64 routes
though.
Any modern router can handle this.
Anyone heard of such a beast? Or is this how the stuff from places like
Arbor Networks do their thing?
This can be done
On Dec 9, 2010, at 2:10 AM, Mohacsi Janos wrote:
Do you think adopting LISP or similar architectures to reduce the problems
mentioned above?
Yes.
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
On Dec 9, 2010, at 2:38 AM, Cameron Byrne wrote:
I still fail to see the value of LISP in a mature and sane IPv6 world.
Abstraction of the global routing table away from direct dependence upon the
underlying transport in use at a given endpoint network alone offers huge
benefits for
On Dec 7, 2010, at 8:27 PM, Thomas York wrote:
Yes, you can statically set it but that will drastically skew the data in
this environment.
What are you attempting to do that northbound/southbound isn't Good Enough?
---
On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote:
Other than trying to hide your real address, what can be done to prevent DDOS
in the first place.
DDoS is just a symptom. The problem is botnets.
Preventing hosts from becoming bots in the first place and taking down existing
botnets is
On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote:
The real problem is people.
Well, yes - but short of mass bombardment, eliminating people doesn't scale
very well, and is generally frowned upon.
;
---
Roland Dobbins
On Dec 6, 2010, at 2:50 PM, Sean Donelan wrote:
Other than buying lots of bandwidth and scrubber boxes, have any other DDOS
attack vectors been stopped or rendered useless during the last
decade?
These .pdf presos pretty much express my view of the situation, though I do
need to rev the
On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote:
I found the following very helpful, Hardest thing for me was nailing
DHCPv6-PD without an DHCP server :)
This is the best/most complete work on IPv6 security to date, IMHO:
http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945
On Dec 6, 2010, at 10:49 PM, Jack Bates wrote:
So does NAT add to security? Yes; just not very much.
It adds nothing which can't be added in another, better way, and it subtracts a
great deal in terms of instantiating unnecessary DoSable stateful chokepoints
in the network, not to mention
On Dec 7, 2010, at 3:44 AM, Thomas York wrote:
fprobe doesn't work properly because it has the input and output interface
IDs as both 0.
IIRC, this can be altered via a config change.
---
Roland Dobbins rdobb...@arbor.net
On Dec 7, 2010, at 4:24 AM, Thomas York wrote:
It can, but then you are setting the input/output IDs statically. That would
work fine if your router only had 2 interfaces.
With a probe of this type, northbound/southbound tagging is generally
sufficient, in my experience (i.e., let's not
On Dec 6, 2010, at 7:53 AM, Glen Kent wrote:
Any help in this regard would be really appreciated.
This 2009 report (and reports from previous years) may be of interest:
http://www.arbornetworks.com/report
The 2010 report is in process right now, FYI.
Here're some additional presentations
On Dec 3, 2010, at 10:34 AM, Richard Barnes wrote:
So they will likely end up looking at some layer-2/3 aspects of the problem
as well.
http://tools.ietf.org/search/rfc5575
---
Roland Dobbins rdobb...@arbor.net //
On Dec 2, 2010, at 10:10 AM, Randy Bush wrote:
we have a significant failure by the security community in that they keep
giving us hierarchic models, pgp being a notable exception.
http://en.wikipedia.org/wiki/PNRP
---
On Nov 26, 2010, at 9:26 PM, Sergey Voropaev wrote:
But corporate politic use only Windows servers and no any other OS in the
production.
They obviously use IOS or JunOS or what-have-you on their routers and other
networking gear - classify this server as a piece of infrastructure
On Nov 26, 2010, at 1:36 PM, Sergey Voropaev wrote:
Our task - is to find such applications and report to management and
developers a problem. Also if we'll be aware about it we could configure
QoS.
One place to start would be an open-source NetFlow collector/analyzer like
nfdump/nfsen:
On Nov 22, 2010, at 10:48 PM, Joe Abley wrote:
I guess if the manner of the interception was to send back SERVFAIL to DNS
clients whose queries were (in some sense) objectionable, the result would be
that the clients were not able to resolve the (in some sense) bad names.
Quantifying the
On Nov 13, 2010, at 11:11 PM, David Ulevitch wrote:
Does anyone have any updates they can share on the register.com outage that
has been happening since sometime yesterday?
https://puck.nether.net/pipermail/outages/2010-November/002423.html
On Oct 25, 2010, at 3:48 AM, Matthew Petach wrote:
NTP can potentially be used as a DoS vector by your upstream clocks, if
you're not running your own.
+1
Also, if you experience a network partition event for any reason (DDoS attack,
backhoe attack, et. al.) which disrupts communications
On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote:
Then move on to the Internet which as with most things is where the most
cuurent if not helpful information resides.
Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in
combination with Schudel Smith's infrastructure
On Oct 5, 2010, at 1:27 AM, Scott Weeks wrote:
Why are we required to register to look at the survey?
That's how it's set up by the biz folks who provide the funding and resources
which allow us to conduct the survey, analyze the responses, and then write and
publish the report free of
Request for participation - Arbor 2010 Worldwide Infrastructure Security
Report.
-
Folks,
We're in the process of collecting feedback for the 2010 Worldwide
Infrastructure Security Report (WWISR); this is the Sixth Edition of the
report, and we'd really be grateful for your
On Oct 1, 2010, at 11:07 AM, Manav Bhatia wrote:
Buffering for 4-6 hours worth of control traffic is HUGE!
If 4-6 hours of *control-plane* traffic on a given device is 'HUGE!', for some
reasonable modern value of 'HUGE!', then there's definitely a problem on the
network in question.
;
On Oct 1, 2010, at 1:01 PM, Manav Bhatia wrote:
In 6 hours you will have around 8000K BFD packets. Add OSPF,
RSVP, BGP, LACP (for lags), dot1AG, EFM and you would really get a
significant number of packets to buffer.
Which isn't a 'HUGE!' amount of packets.
;
On Sep 9, 2010, at 11:43 PM, Jeffrey Lyon wrote:
He may get some business out of it, now that he has effectively put out a
DDoS for hire ad.
The relevant Indian authorities have been notified - my guess is that he'll
soon be receiving some interesting visitors.
;
On Sep 9, 2010, at 5:23 PM, Eugen Leitl wrote:
http://www.nature.com/ncomms/journal/v1/n6/full/ncomms1063.html
At first glance, this looks a bit familiar:
http://www.caida.org/research/topology/as_core_network/
---
Roland
On Sep 8, 2010, at 10:54 PM, Charles N Wyble wrote:
I would appreciate any feedback folks can give me.
https://files.me.com/roland.dobbins/y4ykq0
https://files.me.com/roland.dobbins/k54qkv
https://files.me.com/roland.dobbins/prguob
https://files.me.com/roland.dobbins/k4zw3x
On Sep 3, 2010, at 6:43 PM, Matthias Flittner wrote:
sounds for me as an typicall IPv6 DoS attack. (see RFC3756)
GMTA. Suggest checking to see if the targets have in fact been compromised
(perhaps co-opted as botnet CCs, malware drop sites, et. al.?), and are being
targeted by a rival
On Sep 3, 2010, at 7:02 PM, Igor Ybema wrote:
The only traffic I saw on the subnet was normal/valid NA lookups from the
router towards an
increasing IPv6-address (starting with ::1, then ::2 etc).
This could be a deliberately-induced DDoS due to the annoying ND stuff in IPv6,
or just an
On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote:
However, scanning in IPv6 is not at all like the convenience of comprehensive
scanning of the IPv4 address space.
Concur, but I still maintain that lots of illicit automation plus refined
scanning via DNS, et. al. is a viable practice.
On Sep 4, 2010, at 12:19 AM, Steven Bellovin wrote:
See http://www.cs.columbia.edu/~smb/papers/v6worms.pdf
I've seen it and concur with regards to worms (which don't seem to be very
popular, right now, excepting the 'background radiation' of old Code Red,
Nimda, Blaster, Nachi, SQL Slammer,
On Sep 3, 2010, at 10:23 PM, William Herrin wrote:
Frankly, Zhiyun offers the first truly rational case I've personally seen for
packet filtering based on the TCP source port.
While the paper is entertaining and novel, and reflects a lot of creativity and
hard work on the part of the
On Sep 4, 2010, at 3:11 AM, Dobbins, Roland wrote:
I've certainly never run across it, nor do I know anyone else who has done
so.
I stand corrected - it seems I do in fact know someone who's observed this
technique used to send spam, albeit in the past when POTS dial-up pools were
On Sep 3, 2010, at 8:02 PM, Patrick W. Gilmore wrote:
Could you point to more than one instance? I've not yet found one.
I've yet to run across this, either, FWIW, except on extremely restrictive
special-purpose endpoint networks. Doesn't mean that it doesn't happen, but it
doesn't seem
On Sep 4, 2010, at 7:12 AM, Owen DeLong wrote:
My point is that scanning is not the vector by which they are most likely to
get discovered.
I do agree with this, definitely, with regards to blind scanning.
---
Roland
On Aug 29, 2010, at 2:30 PM, Paul Ferguson wrote:
It would seem to me that there should actually be a better option, e.g.
recognizing the malformed update, and simply discarding it (and sending the
originator an error message) instead of resetting the session.
Generation of the error
On Aug 21, 2010, at 12:20 AM, Christopher Morrow wrote:
o routers are required to be able to send redirect messages
o routers should NOT do this by default
I concur with this position from an opsec standpoint; at the same time, I don't
know that *mandating* a default configuration setting
On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:
(we've got the usual acquisition of rule by accretion problem across 4
edge/core routers with a mix of public facing, internal, WiFi, guest rules,
and I hate to think this is either start from scratch, or intractable. The
evidence is
On Jul 19, 2010, at 8:06 PM, J. Oquendo wrote:
Here is a semi-universal solution... Throw an N-Byte field into the TCP
protocol and label it dirty the dirty bit.
http://tools.ietf.org/html/rfc3514
;
---
Roland Dobbins
On Jul 18, 2010, at 9:47 AM, Mark Smith wrote:
Since specific routers have been mentioned, care to comment on the Cisco ASR?
ASR1K, which is what I'm assuming you're referring to, is a hardware-based
router. Same for ASR9K.
On Jul 19, 2010, at 1:55 AM, Brett Frankenberger wrote:
So where do you draw the line? Is the ASR hardware forwarding?
Yes - specialized muticore NPU plus TCAM.
---
Roland Dobbins rdobb...@arbor.net //
On Jul 19, 2010, at 1:12 AM, Nick Hilliard wrote:
My c* SE swears that the asr1k is a software router. I didn't push him on
it's architecture though.
Specialized multicore NPU + TCAM = hardware.
---
Roland Dobbins
On Jul 19, 2010, at 5:43 AM, Mark Smith wrote:
This document supports that.
No, it doesn't.
Specialized NPUs, TCAMs present in ASR1K.
CRS-3 has specialized NPUs, ASICs, as well.
Enough on this topic - it's obvious that both ASR1K and CRS-3 are
hardware-based platforms.
On Jul 16, 2010, at 9:42 PM, Lamar Owen wrote:
I'm sure the collective wisdom here is capable of pulling the task off at
least in theory;
The thorniest issues aren't technology-related, per se; they're legal exposure
(both real and imagined), regulatory concerns (both real and imagined),
On Jul 15, 2010, at 10:23 PM, Joe Greco wrote:
For example, for a provider whose entire upstream capacity is 1Gbps, I have a
hard time seeing how a Linux- or FreeBSD-based box could credibly be claimed
not to be a suitable edge router.
Because it can and will be whacked quite easily by
On Jul 15, 2010, at 11:01 PM, Cian Brennan wrote:
I'm almost certain they're not the uses that Roland is saying that software
routers are entirely unsuited for.
Correct - I'm talking about SP (and even enterprise) edge routers. I've seen
as little as a few hundred kpps totally hose Cisco
On Jul 15, 2010, at 11:33 PM, Joe Greco wrote:
Provided with a counterexample where this isn't true, you simply ignore it.
I've yet to see a counterexample involving a software-based edge router in a
realistic testbed environment being deliberately packeted in order to cause an
availability
On Jul 15, 2010, at 11:43 PM, Larry Sheldon wrote:
A democracy is two wolves and a lamb voting on what to have for dinner.
Under the assumption that I'm meant to be fulfilling the role of the lamb, I
know when I'm outvoted, heh. This topic is obviously past its shelf-life.
;
On Jul 14, 2010, at 1:34 PM, Mikael Abrahamsson wrote:
CRS-1 uses multicore processors (hundreds of cores) for forwarding on their
linecards, and they achieve 40+ Mpps per linecard.
The CRS-1 makes use of the Metro subsystem for forwarding, with multiple Metros
per Modular Service Card
On Jul 14, 2010, at 7:01 PM, valdis.kletni...@vt.edu
valdis.kletni...@vt.edu wrote:
But as others have stated, the 7206 has at least some hardware acceleration,
Unfortunately, said statements are factually incorrect. 7200s have no hardware
acceleration of any type whatsoever.
from
On Jul 14, 2010, at 8:38 PM, Florian Weimer wrote:
There's also the question of IP options (or extension headers). 8-)
I know that some modern hardware-based routers have the ability to either
ignore options, or to drop option packets altogether.
I believe the same is now true of IPv6
On Jul 14, 2010, at 8:48 PM, Florian Weimer wrote:
From or to your customers?
Both.
Stopping customer-sourced attacks is probably a good thing for the Internet
at learge.
Concur 100%.
And you can't combat attacks targeted at customers within your own network
unless you've got very
On Jul 14, 2010, at 8:59 PM, Florian Weimer wrote:
There might be contractual reasons not to enable that feature. 8-/
Ignoring is generally pretty harmless; dropping can break traceroute, RSVP, et.
al.
Conversely, there are also generally pretty strong contractual reasons not to
have one's
On Jul 14, 2010, at 9:55 PM, Dylan Ebner wrote:
I should look for other options to balance my inbound traffic.
Beyond the binary choice to advertise or not to advertise a given prefix via a
given peer/upstream and/or any TE policies your peers/upstreams may support via
community/attribute
On Jul 14, 2010, at 10:17 PM, Joe Greco wrote:
The truth is that you can keep throwing CPU at a problem as well. I can size
a software based router such that it can remain available.
Not against mpps, or even high kpps, you can't, unfortunately.
Software based platforms have an incredible
On Jul 13, 2010, at 1:34 PM, Sharef Mustafa wrote:
do you recommend it?
My comment would be that a software-based BRAS - 7200, Vyatta, et. al. - is no
longer viable in today's Internet, and hasn't been for years, due to
security/availability concerns. Same for peering/transit edge,
On Jul 13, 2010, at 3:00 PM, khatfi...@socllc.net wrote:
I agree software-based deployments have their flaws but I do not agree that
it cannot be managed securely with comparable or exceeding uptime -vs- a drop
in appliance. I firmly believe it has it's place in 'today's internet'.
When a
On Jul 13, 2010, at 10:58 PM, Joe Greco wrote:
It's interesting. One can get equally militant and say that hardware based
routers are irrelevant in many applications.
When BCPs are followed, they don't tend to fall over the moment someone hits
them with a few kpps of packets - which
On Jul 14, 2010, at 12:39 AM, khatfi...@socllc.net khatfi...@socllc.net
wrote:
I haven't done real world testing with Vyatta but we consistently pass
750KPPS+ without the slightest hiccup on our FreeBSD routing systems.
750kpps packeting the box itself?
Also, note that kpps is a small
On Jul 14, 2010, at 12:31 AM, Scott Weeks wrote:
I'm guessing a few kpps of packets is tounge-in-cheek? Entry level script
kiddies can get to a few hundred kpps easily.
That's what I meant - even a very small botnet can easily overwhelm
software-based edge routers.
On Jul 14, 2010, at 1:02 AM, Matthew Kaufman wrote:
Dangerous in places where forwarding table
exceeds hardware cache limits. (See Code Red worm stories)
During the Code Red/Nimda period (2001), and on into the Slammer/Blaster/Nachi
period (2003), all the routers I personally know of which
On Jul 14, 2010, at 1:29 AM, khatfi...@socllc.net wrote:
We were talking about routing though.
I was talking about packeting the boxes directly, apologies for being unclear -
that's what I meant when I said that the era of software-based edge boxes is
long past.
On Jul 14, 2010, at 3:26 AM, Tony Li wrote:
The whole point about being DoS resistant is one of horsepower. To do DoS
protection correctly, you need to be able to do packet examination at line
rate.
Right. And to date, such routers make use of ASICs - i.e., 'hardware-based'
routers, in
On Jul 14, 2010, at 4:03 AM, valdis.kletni...@vt.edu wrote:
I wasn't aware that the 7206 and M20 classified as software-based.
7200 certainly is - I'm not familiar with the minutiae of Juniper boxes, but I
believe the M20 is hardware-based. In the classic report you cite, the issue
with the
On Jul 14, 2010, at 5:45 AM, Joe Greco wrote:
That's just a completely ignorant statement to make.
It's based on a great deal of real-world experience; I'm sorry you consider
that to be 'ignorant'.
I notice in particular how carefully you qualify that with [w]hen BCPs are
followed; the
On Jul 14, 2010, at 9:31 AM, Dan White wrote:
has the appearance of you struggling to hold on to an idea that may have been
more true in the past,
It's true today, and I'm not 'struggling to hold' onto anything. Take any
software-based router from Cisco or Juniper or whomever (if Juniper
On Jun 22, 2010, at 9:57 PM, Eric J Esslinger wrote:
So I'm looking for some help, perhaps experience with products,
I'm a big fan of QTSS for this type of application, myself:
http://www.apple.com/quicktime/streamingserver/
and use Wirecast for the broadcasting client:
On May 12, 2010, at 1:10 AM, Patrick W. Gilmore wrote:
No.
Concur, but the original poster should also look at the GTSM, which doesn't do
what he asked about but which does make use of TTL as a validation mechanism:
http://www.rfc-editor.org/rfc/rfc3682.txt
On May 5, 2010, at 4:39 PM, Mikael Abrahamsson wrote:
I was also under the impression that it wasn't by IP but that they could
block specific youtube videos etc.
They use a combination of IP blocking, DNS poisoning, and transparent HTTP
proxy-based URL filtering.
On May 4, 2010, at 11:03 PM, Drew Weaver wrote:
Is anyone aware whether or not Thailand has a centralized firewall on
Internet access?
Thai SPs are required by law to block sites deemed objectionable by the
government of Thailand; common reasons given include lese majeste and/or other
On Apr 12, 2010, at 12:39 AM, valdis.kletni...@vt.edu
valdis.kletni...@vt.edu wrote:
IPv6 isn't heavily used *currently*, so it may be perfectly acceptable to
deal with the mythological IPv6 DDoS
The only IPv6-related DDoS attacks of which I'm aware to date is miscreants
going after 6-to-4
On Apr 10, 2010, at 12:17 AM, Paul Vixie wrote:
are we all freaking out especially much because this is coming from china
today, and we suppose there must be some kind of geopolitical intent because
china-vs-google's been in the news a lot today?
There's been a fair amount of speculation
On Apr 2, 2010, at 7:09 PM, Robert E. Seastrom wrote:
So, what are you having your up-and-coming NOC staff read?
http://www.amazon.com/Router-Security-Strategies-Securing-Network/dp/1587053365/ref=sr_1_2?ie=UTF8s=booksqid=1270210783sr=8-2
On Mar 17, 2010, at 2:56 AM, Guillaume FORTAINE wrote:
What about Argus ? [1]
Argus is OK, but I believe that it mainly relies upon packet capture - it does
now support NetFlow v5, and v9 support as well as support for Juniper flow
telemetry and others is supposed to be coming.
I've
On Mar 16, 2010, at 1:06 AM, Michael Holstein wrote:
In short, instead of paying for a (n*)gbps circuit and buying your own DDOS
prevention gear, you buy $n worth of bandwidth that has somebody actively
managing the DDOS protection.
And of course, if one's organization is an SP, one can in
On Mar 16, 2010, at 10:47 AM, Guillaume FORTAINE wrote:
Especially, where is Roland Dobbins ?
At your service.
;
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Injustice is relatively easy to
On Feb 9, 2010, at 6:57 PM, 최종훈 wrote:
Is there anyone who have experiences controlling udp port 8,8080,0 ?
rate-limiting or block!
Not a good idea to use rate-limiting to deal with DDoS attacks - the
programmatically-generated bad traffic ends up crowding out legitimate traffic.
All
On Feb 2, 2010, at 10:28 AM, Suresh Ramasubramanian wrote:
Automated config deployment / provisioning. And sanity checking before
deployment.
A lab in which changes can be simulated and rehearsed ahead of time, new OS
revisions tested, etc.
A DCN.
On Jan 29, 2010, at 10:04 AM, Jonathan Lassoff wrote:
Something utilizing sflow/netflow and flowspec to block or direct traffic
into a scrubbing box gets you much better bang for your buck past a certain
scale.
This is absolutely key for packet-flooding types of attacks, and other attacks
On Jan 23, 2010, at 7:56 PM, Mikael Abrahamsson wrote:
http://www.gossamer-threads.com/lists/nsp/ipv6/20788
A couple of points for thought:
1. Yes, the IPv6 address space is unimaginably huge. Even so, when every
molecule in every soda can in the world has its own IPv6 address in years
On Jan 24, 2010, at 4:43 AM, Mark Smith wrote:
That's a new bit of FUD. References?
It isn't 'FUD'.
redistribute connected.
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Injustice is relatively
On Jan 24, 2010, at 6:07 AM, James Hess wrote:
Then obviously, it's giving every molecule in every soda can an IP address
that is the waste that matters. There are several orders of magnitude between
the number of molecules in a soda can (~65000 times
as many) as the number of additional
On Jan 22, 2010, at 8:08 AM, Danny McPherson wrote:
Yep, I think this is simply an artifact of a larger respondent pool
size, with many smaller respondents being represented.
Correct, as noted in the text, the change in survey demographics appears to be
the cause of this shift.
[Apologies for any duplication if you've seen this notification on other lists.]
We've just posted the 2009 Worldwide Infrastructure Security Report for
download at this URL:
http://www.arbornetworks.com/report
This year's WWISR is based upon the broadest set of survey data collected by
On Jan 14, 2010, at 12:37 PM, Warren Kumari wrote:
I can now place a checkbox in the Is there a firewall? column of the
insert random acronym here audit.
mod_security is your friend.
;
---
Roland Dobbins rdobb...@arbor.net
On Jan 10, 2010, at 3:48 PM, James Hess wrote:
Firewalls do not need to build a state entry for
partial TCP sessions, there are a few different things that can be
done, such as the firewall answering on behalf of the server (using
SYN cookies) and negotiating connection with the server
On Jan 10, 2010, at 11:55 PM, Roger Marquis wrote:
The only thing you've said that is being disputed is the the claim that a
firewall
under a DDoS type of attack will fail before a server under the same type
of attack.
It's so obvious that well-crafted programmatically-generated attack
On Jan 11, 2010, at 4:55 AM, James Hess wrote:
I don't agree with You never need a proxy in front of a server, it's only
there to fail.
Again, reverse proxy *caches* are extremely useful in front of Web farms. Pure
proxying makes no sense.
On Jan 11, 2010, at 12:56 PM, George Bonser wrote:
One would probably have a load balancer of some sort in front of those
machines. That is the device that would be fielding any DoS.
Yes, and as you've noted previously, it should be protected via stateless ACLs
in hardware capable of
On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote:
Firewalls do have their place in DDoS mitigation scenarios, but if used as
the ultimate solution you're asking for trouble.
In my experience, their role is to fall over and die, without exception. I
can't imagine what possible use a stateful
On Jan 10, 2010, at 12:57 AM, Jeffrey Lyon wrote:
I would love to provide you with some new experiences.
I get new experiences of this type and plenty of new ideas every day, thanks.
;
---
Roland Dobbins rdobb...@arbor.net
On Jan 10, 2010, at 5:51 AM, harbor235 wrote:
Other security features in an Enterprise Class firewall;
-Inside source based NAT, reinforces secure traffic flow by allowing
outside to inside flows based on
configured translations and allowed security policies
Terrible from an
On Jan 10, 2010, at 9:03 AM, Roger Marquis wrote:
That hasn't been my experience but then I'm not selling anything that might
have a lower ROI than firewalls, in small to mid-sized installations.
I loudly evinced this position when I worked for the world's largest firewall
vendor, so that
On Jan 10, 2010, at 10:05 AM, Roger Marquis wrote:
Ok, I'll bite. What firewalls are you referring to?
Hardware-based commercial firewalls from the major vendors, open-source/DIY,
and anything in between. All stateful firewalls ever made, period (as
discussed previously in the thread).
401 - 500 of 560 matches
Mail list logo