nanog mailing list archives
RE: I don't need no stinking firewall!
From: "George Bonser" <gbonser () seven com>
Date: Tue, 5 Jan 2010 23:45:43 -0800
See above; in front of the server, there's no state to track in the first place, heh. Fish, meet bicycle.
I think that is the part that some people aren't getting. You have a network just sitting there. A syn packet arrives for port 80 to an http server. You ARE going to allow it because that is what a web server does. Now if you have a firewall in front of the load balancer you have a three-way handshake that goes on with the firewall. Then another one between the firewall and the load balancer. And then possibly yet another one between the balancer and the server if you aren't using persistent connections in that part of the network. So now you get a DoS request that is as simple as "GET /index.html" or worse, some huge file, which you are also going to allow anyway because there is no way to tell a legitimate request from a flood of requests from a bot net or someone posted your link on Slashdot or whatever. So now your web server is flooded with "legitimate" requests that pass all of your policy but you are being overwhelmed by the sheer volume of them and they are originating from thousands of IP addresses from all around the world. They are all getting through your firewall. So now it is just a matter of which is the weakest link in the chain. If you have enough servers and bandwidth, the firewall is often that weakest link.
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 05)
- Re: I don't need no stinking firewall! Kevin Oberman (Jan 05)
- Re: I don't need no stinking firewall! Tony Finch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Mark Foster (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Robert Brockway (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Jonathan Lassoff (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! William Pitcock (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)