-----Original Message----- From: Ćukasz Bromirski [mailto:lukasz@bromirski.net] Sent: Saturday, January 09, 2010 6:11 AM
You mean Juniper SRX? The biggest box is a 5800, and it can handle up to 350k new sessions each second, up to maximum of 10 million (let's skip the fact that it's not that simple as it would look from the data sheet and there are major obstacles from reaching the numbers).
With all due respect, I've been playing with the high end SRXs lately and I have to say I've been incredibly impressed with the performance... I recently did some performance testing on the SRX 5600s and I was able to consistently observe it instantiating upwards of 150k new TCP sessions per second. Does the SRX have some bugs... sure... that is to be expected with a box which by all means is still relatively bleeding edge. I'm fairly confident given a little time to stabilize the code, they will be able to fix some of the obstacles you are describing above... Having said that, I always laugh when I'm working with customers who have been DoSed and their response is "Well, our firewall/load balancer has DDoS mitigation capabilities...". Almost every firewall or load balancer device I've worked with (Netscreen, SRX, Brocade, Fortinet) that had any sort of DoS mitigation features was extremely limited in its capability. Most only do session-based limiting towards a given destination IP, with the ultimate result being that they simply rate-limit the traffic towards that destination. This in itself ends up completing the attackers goal of denying service (even if just a subset) towards a given IP. And these types of features do nothing to assist with low-level attack traffic which require surgical mitigation, not to mention a host of other attack vectors. Firewalls do have their place in DDoS mitigation scenarios, but if used as the "ultimate" solution you're asking for trouble. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D