On Jun 10, 2009, at 9:32 PM, Maxwell Reid wrote:
you really only need specialized ASIC's as part of the forwarding plane of high end routers.
When you're talking about DDoS, that's what's needed; general-purpose CPUs on boxes running many different VM/OS/app stacks, or things like ASAs don't cut it.
That's why you don't see stateful firewalling in front of major public- facing properties; not only is it useless by definition in such scenarios, in which every single incoming connection is unsolicited, but it's a DDoS chokepoint due to the state instantiated and the limited resources available.
----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/