nanog mailing list archives
Re: Checkpoint IPS
From: Ca By <cb.list6 () gmail com>
Date: Sat, 7 Feb 2015 20:05:29 -0800
On Friday, February 6, 2015, Roland Dobbins <rdobbins () arbor net> wrote:
On 6 Feb 2015, at 23:23, Darden, Patrick wrote: And when your opinion is an acknowledged universal constant, I will tipmy hat to you.It's been a constant for the last couple of decades - I can't count the number of times I've been involved in mitigating penny-ante DDoS attacks which succeeded *solely* due to state exhaustion on stateful firewalls, 'IPS' devices, and load-balancers. I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec spoofed SYN-flood. I've seen a 10gb/sec commercial load-balancer taken down by 60 second at 6kpps - yes, 6kpps - of HOIC. And so on, and so forth. 'Dismiss' it all you like, but it's a real issue, as others on this list know from bitter experience.
Hi, Roland is right. 99% of network based security products are pure snake oil. Patch you servers, know your base line, statelessly filter unwanted traffic, rtbh as needed, sleep well at night. Bye.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: Checkpoint IPS, (continued)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 05)
- Re: Checkpoint IPS Ray Soucy (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Ca By (Feb 07)
- Re: Checkpoint IPS BPNoC Group (Feb 08)
- Re: Checkpoint IPS Roland Dobbins (Feb 08)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Checkpoint IPS Raymond Burkholder (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)