Dobbins, Roland wrote:
My employer's products don't compete with firewalls, they *protect* them; if anything, it's in my pecuniary interest to *encourage* firewall deployments, so said firewalls will fall down and need protection, heh.
Nobody's disputing that Roland, or the fact that different specialized appliances will protect against different perimeter attacks. The only thing you've said that is being disputed is the the claim that a firewall under a DDoS type of attack will fail before a server under the same type of attack. I question this claim for several reasons. * because it doesn't correlate with my 22 years of experience in systems administration and 14 years in netops (including Yahoo netsecops where I did use IXIAs to compile stats on FreeBSD and Linux packet filtering), * it doesn't correlate with experience in large networks with multiple geographically disperse data centers where we did use Arbor, Cisco and Juniper equipment, * it doesn't correlate with server and firewall hardware and software designs, and last but not least, * because you have shown no objective evidence to support the claim.
I did this kind of testing when I worked for the largest manufacturer of firewalls in the world
Where then, can we find the results of your testing?
Here's the thing; you're simply mistaken, and you hurl insults instead of listening to the multiple people on this thread who have vastly more large-scale Internet experience than you do and who concur with these prescriptions.
Nobody has "hurled insults" in this thread other than yourself Roland. Shame on you for such disreputable tactics. To make the case you need more than repeated dismissal of requests for evidence and repeated unsupported claims of "vast experience" with failing servers and firewalls. We just need some actual statistics. Roger Marquis
From someone who mostly lerks but has been in network engineering operations biz for 17 years, the only OS that seems to always keel over under a ddos and need a firewall is windows. Linux in its current incarnation can handle a substantially larger attack before needing mitigation by firewall type device. So in the end I believe its the environment dictates the use of products unless you have aformentioned windows os which for me has always necessitated a firewall. Manolo Sent from my BlackBerry -----Original Message----- From: Roger Marquis <marquis@roble.com> Date: Sun, 10 Jan 2010 08:55:13 To: <nanog@nanog.org> Subject: Re: D/DoS mitigation hardware/software needed. Dobbins, Roland wrote:
My employer's products don't compete with firewalls, they *protect* them; if anything, it's in my pecuniary interest to *encourage* firewall deployments, so said firewalls will fall down and need protection, heh.
Nobody's disputing that Roland, or the fact that different specialized appliances will protect against different perimeter attacks. The only thing you've said that is being disputed is the the claim that a firewall under a DDoS type of attack will fail before a server under the same type of attack. I question this claim for several reasons. * because it doesn't correlate with my 22 years of experience in systems administration and 14 years in netops (including Yahoo netsecops where I did use IXIAs to compile stats on FreeBSD and Linux packet filtering), * it doesn't correlate with experience in large networks with multiple geographically disperse data centers where we did use Arbor, Cisco and Juniper equipment, * it doesn't correlate with server and firewall hardware and software designs, and last but not least, * because you have shown no objective evidence to support the claim.
I did this kind of testing when I worked for the largest manufacturer of firewalls in the world
Where then, can we find the results of your testing?
Here's the thing; you're simply mistaken, and you hurl insults instead of listening to the multiple people on this thread who have vastly more large-scale Internet experience than you do and who concur with these prescriptions.
Nobody has "hurled insults" in this thread other than yourself Roland. Shame on you for such disreputable tactics. To make the case you need more than repeated dismissal of requests for evidence and repeated unsupported claims of "vast experience" with failing servers and firewalls. We just need some actual statistics. Roger Marquis
On Jan 10, 2010, at 11:55 PM, Roger Marquis wrote:
The only thing you've said that is being disputed is the the claim that a firewall under a DDoS type of attack will fail before a server under the same type of attack.
It's so obvious that well-crafted programmatically-generated attack traffic, if nothing else, will crowd out the good traffic that I'm just dumbfounded anyone thinks 'proof' of this is needed. Same thing for the fact that horizontally-scaled Web farm (with or without reverse caching proxies) will of necessity handle a great deal more TCP state than the biggest, firewall made to date.
* because it doesn't correlate with my 22 years of experience in systems administration and 14 years in netops (including Yahoo netsecops where I did use IXIAs to compile stats on FreeBSD and Linux packet filtering),
It doesn't correlate with my 25 years in the industry, a good portion of the last 15 years spent handling DDoS after DDoS after DDoS, during which the biggest, baddest firewalls choked and died over and over again, through multiple generations of said firewalls. Again, I was able to take down a hardware-based (for whatever value of 'hardware-based' is possible) firewall rated at 2gb/sec with 80kpps of traffic.
* it doesn't correlate with experience in large networks with multiple geographically disperse data centers where we did use Arbor, Cisco and Juniper equipment,
It correlates with my experience in large networks with geographically-dispersed IDCs with heterogeneous gear.
* it doesn't correlate with server and firewall hardware and software designs, and last but not least,
Which is a non-sequitur.
* because you have shown no objective evidence to support the claim.
I've my own broad subjective experience, and that of several other people who've commented on this thread have similar experiences. Since you haven't yet acquired this subjective experience, you can cause it to happen in a controlled test environment, should you so choose.
Where then, can we find the results of your testing?
The testing I did when I worked for the vendor in question is proprietary, as you can well surmise. You're free to do your own testing and confirm these assertions for yourself.
Nobody has "hurled insults" in this thread other than yourself Roland.
You accused me of acting in my own pecuniary interest, of trying to 'sell' things, *for no reason at all*.
We just need some actual statistics.
If you actually care about the truth of the matter, you're free to generate your own. If you read the RoK/USA DDoS preso to which I linked, you see the attack throughput and bandwidth metrics/host, and you also see where I noted multiple 'Web Application Firewalls', load-balancers, and so-called 'IPS' falling over as a result of those attacks. That gives you a range right there, along with some attack traffic characteristics, including average packet size. It makes no sense to put a stateful inspection device in front of servers, where *every single packet* is unsolicited, and therefore no state tracking is even possible in the first place. Stateless filters in hardware capable of mpps do a much better job, without the risk of falling over due to state-table exhaustion. Folks who've been unlucky enough to be subjected to significant DDoS attacks have run into this issue again and again and again. Perhaps you've simply been lucky; but one can't count on one's luck holding forever. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
From: "Dobbins, Roland" <rdobbins@arbor.net> Date: Sun, 10 Jan 2010 21:56:38 +0000
On Jan 10, 2010, at 11:55 PM, Roger Marquis wrote:
The only thing you've said that is being disputed is the the claim that a firewall under a DDoS type of attack will fail before a server under the same type > of attack.
It's so obvious that well-crafted programmatically-generated attack traffic, if nothing else, will crowd out the good traffic that I'm just dumbfounded anyone thinks 'proof' of this is needed. Same thing for the fact that horizontally-scaled Web farm (with or without reverse caching proxies) will of necessity handle a great deal more TCP state than the biggest, firewall made to date.
* because it doesn't correlate with my 22 years of experience in systems administration and 14 years in netops (including Yahoo netsecops where I did use IXIAs to compile stats on FreeBSD and Linux packet filtering),
It doesn't correlate with my 25 years in the industry, a good portion of the last 15 years spent handling DDoS after DDoS after DDoS, during which the biggest, baddest firewalls choked and died over and over again, through multiple generations of said firewalls.
Again, I was able to take down a hardware-based (for whatever value of 'hardware-based' is possible) firewall rated at 2gb/sec with 80kpps of traffic.
* it doesn't correlate with experience in large networks with multiple geographically disperse data centers where we did use Arbor, Cisco and Juniper equipment,
It correlates with my experience in large networks with geographically-dispersed IDCs with heterogeneous gear.
* it doesn't correlate with server and firewall hardware and software designs, and last but not least,
Which is a non-sequitur.
* because you have shown no objective evidence to support the claim.
I've my own broad subjective experience, and that of several other people who've commented on this thread have similar experiences. Since you haven't yet acquired this subjective experience, you can cause it to happen in a controlled test environment, should you so choose.
Where then, can we find the results of your testing?
The testing I did when I worked for the vendor in question is proprietary, as you can well surmise. You're free to do your own testing and confirm these assertions for yourself.
Nobody has "hurled insults" in this thread other than yourself Roland.
You accused me of acting in my own pecuniary interest, of trying to 'sell' things, *for no reason at all*.
We just need some actual statistics.
If you actually care about the truth of the matter, you're free to generate your own. If you read the RoK/USA DDoS preso to which I linked, you see the attack throughput and bandwidth metrics/host, and you also see where I noted multiple 'Web Application Firewalls', load-balancers, and so-called 'IPS' falling over as a result of those attacks. That gives you a range right there, along with some attack traffic characteristics, including average packet size.
It makes no sense to put a stateful inspection device in front of servers, where *every single packet* is unsolicited, and therefore no state tracking is even possible in the first place. Stateless filters in hardware capable of mpps do a much better job, without the risk of falling over due to state-table exhaustion.
Folks who've been unlucky enough to be subjected to significant DDoS attacks have run into this issue again and again and again. Perhaps you've simply been lucky; but one can't count on one's luck holding forever.
There is a culture that has developed a dogma that firewalls are THE solution. Be it DDOS or most any other security threat. Like many dogmas, it is ingrained into so many people that denial is essentially heresy. People simply "know" that a firewall is essential, so any contrary argument is obviously bogus or confused and must be denied. I used to work at the place that probably invented the stateful firewall and the folks who invented it became the priests of the firewall dogma and went forth and preached its value. Note that this predates DDOS by many years and that they did have some valid arguments. But the result was an army of security "experts" who scowled and marked the audit as "FAILED" if you did not front EVERYTHING with a firewall. I know of one case where an organization bought a firewall and programmed it to pass everything, just to fix an automatic failure of a security audit. Oddly, the auditor did not even look at who the firewall was configured. Simple presence of the box made him happy. I'm afraid that you are fighting a dogma that will only slowly be beaten into recognizing reality, but I appreciate your fighting the good fight. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
participants (4)
-
Dobbins, Roland
-
Kevin Oberman
-
Manolo Hernandez
-
Roger Marquis