On Jan 11, 2010, at 12:56 PM, George Bonser wrote: > One would probably have a load balancer of some sort in front of those > machines. That is the device that would be fielding any DoS.
Yes, and as you've noted previously, it should be protected via stateless ACLs in hardware capable of handling mpps, S/RTBH, flow-spec, IDMS, whatever. And of course the load-balancer should also be fronted by a reverse-proxy cache farm, if the servers in question are Web servers. > I have a feeling you are talking about relatively small amounts of traffic. I believe that these comments were more along the lines of 'servers can better handle this that stateful firewalls', not ruling out the use of load-balancers, reverse-proxy caches, etc. as appropriate. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
