On Fri, Jan 3, 2014 at 4:30 AM, Dobbins, Roland <rdobb...@arbor.net> wrote:
> > On Jan 3, 2014, at 12:32 AM, Eugeniu Patrascu <eu...@imacandi.net> wrote: > > > With modern machines (from a few years back) you can track a lot of > connections effortlessly. > > I think you don't understand the scale of even small DDoS attacks in terms > of state-tracking. > > Stateful devices put in front of servers which are then DDoSed go down, > taking down everything behind those stateful devices. I've seen 3mb/sec of > spoofed SYN-flood take down a 20gb/sec stateful firewall; I've seen 10kpps > of HOIC take down a 10gb/sec load-balancer. > > This isn't theoretical or speculative. > Maybe I should try this again: what I said was that on the recursive resolvers dedicated for your clients you can add an extra layer of protection in terms of dropping fake responses targeted at those servers by the means of a local firewall setup on each box, not on a gateway like box. My reasoning is that the kernel would be better at dropping unwanted packets faster than the userspace DNS daemon can discard them. And with very small timers enabled this should be feasible. What I'm arguing against is the idea of rate limiting a service just because it might be attacked and have your customers play the lottery with their queries and try again if their packets are lost due to rate limiting. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/