-----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Saturday, January 09, 2010 10:03 AM
On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote:
Firewalls do have their place in DDoS mitigation scenarios, but if used as the "ultimate" solution you're asking for trouble.
In my experience, their role is to fall over and die, without exception. I can't imagine what possible use a stateful firewall has being placed in front of servers under normal conditions, much less during a DDoS attack; it just doesn't make sense.
See the earlier post - what I'm referring to here is more along the lines of stateless packet filters on upstream routers which can be triggered via Flowspec or similar mechanisms... I'm not disagreeing with you here on the other points and largely concur. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D