Re: D/DoS mitigation hardware/software needed.
Dobbins, Roland wrote:
See here for a high-profile example: <http://files.me.com/roland.dobbins/k54qkv>
Reads like a sales pitch to me. No apples to apples comparisons, nothing like an ANOVA of PPS, payload sizes, and other vectors across different types of border defenses. Your presentation makes a good case for Arbor-type defenses, against a certain type of attack, but it doesn't make the case you're referring to. What would convince me is an IXIA on a subnet with ten hosts running a db-bound LAMP stack. Plot the failure points under different loads. Then add an ASA or Netscreen and see what fails under the same loads. That would be an objective measure, unlike what has been offered as evidence in this thread so far.
Placing a stateful inspection device in a topological position where no stateful inspection is possible due to every incoming packet being unsolicited makes zero sense whatsoever from an architectural standpoint, even without going into implementation-specific details.
Which is basically claiming that the general purpose web server, running multiple applications, is more capable of inspecting every incoming packet than hardware specifically designed for the task and doing only the task it was designed for. Christopher Morrow wrote:
have you noticed how putting your DB and WEB server on the same hardware is a bad plan?
While often true this is entirely tangental to the thread. Roger Marquis
On Jan 10, 2010, at 1:27 PM, Roger Marquis wrote:
Reads like a sales pitch to me.
My employer's products don't compete with firewalls, they *protect* them; if anything, it's in my pecuniary interest to *encourage* firewall deployments, so said firewalls will fall down and need protection, heh. Teaching people how to design their server farms, harden their network infrastructure, and deploy S/RTBH and flow-spec isn't selling anything. Only someone with ulterior motives would claim otherwise. This isn't 'selling' anything, either: <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html> So, this line of attack falls flat, and merely comes across as unjustified, uninformed, foolish and petty.
Your presentation makes a good case for Arbor-type defenses, against a certain type of attack, but it doesn't make the case you're referring to.
S/RTBH and flow-spec aren't 'Arbor-type defenses', and I had a long track record of making the case for all of these things for many years before I ever worked for Arbor.
What would convince me is an IXIA on a subnet with ten hosts running a db-bound LAMP stack. Plot the failure points under different loads. Then add an ASA or Netscreen and see what fails under the same loads.
Then hop to it. I did this kind of testing when I worked for the largest manufacturer of firewalls in the world, so I've no need to repeat it.
Which is basically claiming that the general purpose web server, running multiple applications, is more capable of inspecting every incoming packet than hardware specifically designed for the task and doing only the task it was designed for.
Properly tuned, yes. Here's the thing; you're simply mistaken, and you hurl insults instead of listening to the multiple people on this thread who have vastly more large-scale Internet experience than you do and who concur with these prescriptions. That's your prerogative; and it's my prerogative to grow tired repeating the same points which have already been made earlier in this and other threads, when they fall on biased, deaf ears. If you choose not to read and understand and learn from the broader experiences of others, that's up to you. I'm done. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
participants (2)
-
Dobbins, Roland
-
Roger Marquis