[dns-operations] DNS Issue

Dobbins, Roland rdobbins at arbor.net
Fri Apr 26 12:36:05 UTC 2013

On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:

> The number of stateful firewalls that can happily handle occasional flows of up to 100,000 flows per second two/from individual devices are few. "Yours probably isn't one of them."

I've seen 3mb/sec of spoofed SYN-flood take down a stateful firewall rated at 20gb/sec - DDoS, deliberate or inadvertent, means that no stateful firewall which could practically be constructed now or in the foreseeable future could handle this.

What's more, it's unnecessary - since every incoming connection is unsolicited, there's no state to inspect in the first place.  Operators should use stateless ACLs in hardware-based routers/layer-3 switches to instantiate network access policies (I know you know all this, just posting it for the sake of completeness).

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list