On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote: > On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland <rdobb...@arbor.net> wrote: > > On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: > > DDoS attacks are attacks against capacity and/or state. Start reducing > > DDoS, by its very nature is a type of attack that dances around > common security measures like conventional firewalls, by its very > nature. > > The possibility of someone dropping a nuke on your facility, > shouldn't stop you from locking your doors at night. > If necessary, use another arrangement to detect that threat, and > protect firewall+servers from it. >
DDoS mitigation gear tends to choke up in my experience. It's a really touchy subject. > Having no 'firewall' type safeguard at all (stateless or otherwise) > would appear pretty risky. Not really, because firewalls don't do anything useful. Stateless ACL policies do something useful, and usually that is handled in the router in a modern network. The other features of a firewall range from not so useful to actively harmful. > > > Because, by definition, all incoming packets to the server are unsolicited. > > For UDP servers sure.. not for TCP.. the initial SYN is unsolicited, > for inbound TCP connections. Once the server acknowledges the > connection by invoking accept(), the rest of it the packets are > solicited, the packets are either part of an active connection, or > unwanted. Wrong. You seem to assume that TCP stacks are well-behaved, or that botnets aren't just synthesizing junk. I've seen unsolicited ACK floods before. They are quite real. So, in fact, all incoming packets should be considered unsolicited until proven otherwise. It should be mentioned that DDoS mitigation gear in use on that network let those packets through without even alerting us about it. William
