nanog mailing list archives
Re: D/DoS mitigation hardware/software needed.
From: Roger Marquis <marquis () roble com>
Date: Sat, 9 Jan 2010 22:27:27 -0800 (PST)
Dobbins, Roland wrote:
See here for a high-profile example: <http://files.me.com/roland.dobbins/k54qkv>
Reads like a sales pitch to me. No apples to apples comparisons, nothing like an ANOVA of PPS, payload sizes, and other vectors across different types of border defenses. Your presentation makes a good case for Arbor-type defenses, against a certain type of attack, but it doesn't make the case you're referring to. What would convince me is an IXIA on a subnet with ten hosts running a db-bound LAMP stack. Plot the failure points under different loads. Then add an ASA or Netscreen and see what fails under the same loads. That would be an objective measure, unlike what has been offered as evidence in this thread so far.
Placing a stateful inspection device in a topological position where no stateful inspection is possible due to every incoming packet being unsolicited makes zero sense whatsoever from an architectural standpoint, even without going into implementation-specific details.
Which is basically claiming that the general purpose web server, running multiple applications, is more capable of inspecting every incoming packet than hardware specifically designed for the task and doing only the task it was designed for. Christopher Morrow wrote:
have you noticed how putting your DB and WEB server on the same hardware is a bad plan?
While often true this is entirely tangental to the thread. Roger Marquis
Current thread:
- Re: D/DoS mitigation hardware/software needed., (continued)
- Re: D/DoS mitigation hardware/software needed. Joe Greco (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Valdis . Kletnieks (Jan 10)
- Message not available
- Re: D/DoS mitigation hardware/software needed. Roger Marquis (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Manolo Hernandez (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Kevin Oberman (Jan 10)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Christopher Morrow (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)
- Re: D/DoS mitigation hardware/software needed. Dobbins, Roland (Jan 09)