bill from home wrote:
All, This thread certainly has been educational, and has changed my perception of what an appropriate outward facing architecture should be. But seldom do I have the luxury of designing this from scratch, and also the networks I administer are "small business's". My question is at what size connection does a state table become vulnerable, are we talking 1mb dsl's with a soho firewall?
some numbers, 100Mb/s will carry 220Kpps worth of 64byte packets, if this is a fairly simple syn attack and your firewall can support 100k new connections a second (that's a fairly fast firewall), you need less than 50Mb/s to nuke it... the maximum size of the state table on a linux derived system with 4GB of ram is north of a million connections so assuming the session rate of the dos is trackable your firewall needs to start aging connections out in an accelerated fashion after about 4 seconds otherwise you're similarly hosed... given the same firewall can probably forward 2-3mpps when it comes to small packet you run out of state long before your run out of forwarding horsepower. Some kind of firewall device that you might put in front of a business cable connection, or fractional ethernet is like to support a much lower connection rate embedded Pentium equivalent or low to mid-range mips might support a rate of 2-10k connections per second at which point the thresh-hold for dosing it based on session rate is quite a bit lower (quite a bit lower than that of a webserver or dekstop pc for example). i.e. if 10kpps of dos will take it out that's like 5Mb/s on a device that might other wise be able to forward 300-500Mb/s interface to interface using large packet.
Or as I suspect we are talking about a larger scale? I know there are variables, I am just looking for a "rule of thumb". I would not want to recommend a change if it is not warranted. But when fatter and fatter pipes become available at what point would a change be warranted.
Thanks Bill Kruchas
Dobbins, Roland wrote:
On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote:
Further on, if you want to really protect against a real DDoS you would most likely would have to look at a really distributed solution, where the different geographical load balancing solutions come into play.
GSLB or whatever we want to call it is extremely useful from a general availability standpoint; however, the attackers can always scale up and really distribute their already-DDoS even further (they learned about routeservers and DNS tinkering years ago). Architecture, visibility, and control are key, as are vendor/customer/peer/upstream/opsec community relationships.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken