[dns-operations] DNS Issue
Dobbins, Roland
rdobbins at arbor.net
Fri Apr 26 12:36:05 UTC 2013
On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:
> The number of stateful firewalls that can happily handle occasional flows of up to 100,000 flows per second two/from individual devices are few. "Yours probably isn't one of them."
I've seen 3mb/sec of spoofed SYN-flood take down a stateful firewall rated at 20gb/sec - DDoS, deliberate or inadvertent, means that no stateful firewall which could practically be constructed now or in the foreseeable future could handle this.
What's more, it's unnecessary - since every incoming connection is unsolicited, there's no state to inspect in the first place. Operators should use stateless ACLs in hardware-based routers/layer-3 switches to instantiate network access policies (I know you know all this, just posting it for the sake of completeness).
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the dns-operations
mailing list