What is nice about load balancers is that if you design your solution correctly, you can scale them in a very nice way. Things like direct server return, where only the requests hit the load balancer, but the replies (which are usually larger) just route back directly to the client can free up resources on the load balancer to handle more complex policies. This also reduces the imposed symmetry for routing that firewalls bring to the table. Further on, if you want to really protect against a real DDoS you would most likely would have to look at a really distributed solution, where the different geographical load balancing solutions come into play. Arie On Wed, Jan 6, 2010 at 7:03 AM, George Bonser <gbonser@seven.com> wrote:
-----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Tuesday, January 05, 2010 8:53 PM To: NANOG list Subject: Re: I don't need no stinking firewall!
On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
Yes, you have to take some of the things that were done in one spot and do them in different locations now, but the results are an amazing increase in service capacity per dollar spent on infrastructure.
I strongly agree with the majority of your comments, with the caveat that I've seen many, many load-balancers fall over due to state- exhaustion, too; load-balancers need northbound protection from DDoS (S/RTBH, flow-spec, IDMS, et. al.), as well.
Yes, I have seen load balancers fall over, too. I have some interesting stories of how those problems have been solved. Sometimes it relies on using a feature of one vendor to leverage a feature of another vendor. But I generally agree with you. There is a lot that can be done ahead of the load balancers.