[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
D/DoS mitigation hardware/software needed.
On Jan 5, 2010, at 10:06 AM, Jeffrey Lyon wrote:
> We have such a configuration in progress, it works great without any of the issues you're proposing.
Then you aren't testing it to destruction, heh.
;>
If it's a stateful firewall, and state-tracking is turned on, it's quite possible to craft sufficient pathological traffic which conforms to the firewall policies and yet which leads to state-table inspection.
And the stateful firewall serves no purpose in front of servers, in which *every incoming packet* is unsolicited. Far more sensible to enforce policy in stateless ACLs in ASIC-based router/switch hardware.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken