Re: D/DoS mitigation hardware/software needed.

[Roger Marquis <marquis () roble com>]

Dobbins, Roland wrote:
> See here for a high-profile example:
> <http://files.me.com/roland.dobbins/k54qkv>

Reads like a sales pitch to me.  No apples to apples comparisons, nothing
like an ANOVA of PPS, payload sizes, and other vectors across different
types of border defenses.  Your presentation makes a good case for
Arbor-type defenses, against a certain type of attack, but it doesn't
make the case you're referring to.

What would convince me is an IXIA on a subnet with ten hosts running a
db-bound LAMP stack.  Plot the failure points under different loads.
Then add an ASA or Netscreen and see what fails under the same loads.
That would be an objective measure, unlike what has been offered as
evidence in this thread so far.

> Placing a stateful inspection device in a topological position where no
> stateful inspection is possible due to every incoming packet being
> unsolicited makes zero sense whatsoever from an architectural standpoint,
> even without going into implementation-specific details.

Which is basically claiming that the general purpose web server, running
multiple applications, is more capable of inspecting every incoming packet
than hardware specifically designed for the task and doing only the task
it was designed for.

Christopher Morrow wrote:
> have you noticed how putting your DB and WEB server on the same hardware
> is a bad plan?

While often true this is entirely tangental to the thread.

Roger Marquis