On 2010-01-05 03:17, Tim Eberhard wrote:
Kinda funny you state that Roland. I know of at least two very large carriers that uses Netscreens (and soon SRX's) for their DoS/DDoS mitigation.
You mean Juniper SRX? The biggest box is a 5800, and it can handle up to 350k new sessions each second, up to maximum of 10 million (let's skip the fact that it's not that simple as it would look from the data sheet and there are major obstacles from reaching the numbers). 350kpps of TCP SYNs or whatever more wiser your botnet controller will generate, coming to your Internet pipe is really a small, very small DDoS. In terms of short packets like TCP SYN it's only around 179Mbit/s worth of bandwidth. Roland is right. Given finite resources to hold and process stateful information, the stateful device on a packet way to protected device is always vulnerable itself to become DDoSed. You can't discuss the logic of that, you can only throw more capable boxes and of course fail at some point. -- "Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net