ben wrote:
> I was thinking along the lines of either a Xeon or Opteron board
> with a couple Intel Pro/1000 XF cards.
You should watch for interrupts and bus speeds, not exactly at
processor GHz'es. However it's true, that usually "server" boards
get separate PCI/PCI-X buses, better cache/RAM access times etc.
> Actually, we have just over 5Gbit of aggregate bandwidth, soon to be
> 10Gbit. This service frequently attracts attacks in excess of
> 500mbit. Response time on a BGP blackhole server solution is
> too slow.
Well, everything depends on implementation. The BGP sinkhole speed
depends on Your ability to inject /32 route for spoofed/real source
of unwanted traffic. If You have some NOC with people occasionally
looking at the traffic graphs, You could easily spot and eliminate
most of the troubles right away.
And if You have now 5 that's soon-to-be 10Gbit/s of traffic, You should
IMHO start thinking about combined solution - using various techniques
combined, to filter out everything as far as possible from
the Internet side (including, cooperating with Your ISP to kill some
traffic already in his core net with proposed BGP sinkhole) and as
close to end-users from the LAN/campus side.
I imagine that firewall built on *BSD with such performance should be
some kind of cluster, or some kind of "big bucks" hardware - Cat6500
with FWSM, or some Netscreen appliance.
Separate thing is, how to physically aggregate the traffic. I think
if You would carefully design the border of Your network, and invest
some money in some more advanced L3 switch(es), they would make
great performance boost to Your *BSD implementation. Most modern
L3 switches can do ACLs on incoming/outgoing traffic wire-speed,
so filtering out usual trashy traffic (bogons, 137-139 and others,
including for example killing all the sessions not initiated from
proper sources) would be great help for saving precious CPU cycles
and NIC interrupts on the software firewall, and to let him do
the "real" state connection tracking/scrubbing/etc.
--
Łukasz Bromirski lbromirski:mr0vka.eu.org
