nanog mailing list archives
Re: I don't need no stinking firewall!
From: William Pitcock <nenolod () systeminplace net>
Date: Wed, 06 Jan 2010 02:03:20 -0600
On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote:
On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland <rdobbins () arbor net> wrote:On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: DDoS attacks are attacks against capacity and/or state. Start reducingDDoS, by its very nature is a type of attack that dances around common security measures like conventional firewalls, by its very nature. The possibility of someone dropping a nuke on your facility, shouldn't stop you from locking your doors at night. If necessary, use another arrangement to detect that threat, and protect firewall+servers from it.
DDoS mitigation gear tends to choke up in my experience. It's a really touchy subject.
Having no 'firewall' type safeguard at all (stateless or otherwise) would appear pretty risky.
Not really, because firewalls don't do anything useful. Stateless ACL policies do something useful, and usually that is handled in the router in a modern network. The other features of a firewall range from not so useful to actively harmful.
Because, by definition, all incoming packets to the server are unsolicited.For UDP servers sure.. not for TCP.. the initial SYN is unsolicited, for inbound TCP connections. Once the server acknowledges the connection by invoking accept(), the rest of it the packets are solicited, the packets are either part of an active connection, or unwanted.
Wrong. You seem to assume that TCP stacks are well-behaved, or that botnets aren't just synthesizing junk. I've seen unsolicited ACK floods before. They are quite real. So, in fact, all incoming packets should be considered unsolicited until proven otherwise. It should be mentioned that DDoS mitigation gear in use on that network let those packets through without even alerting us about it. William
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Tony Finch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Mark Foster (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Robert Brockway (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- Re: I don't need no stinking firewall! Jonathan Lassoff (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! William Pitcock (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)