Home page logo

nanog logo nanog mailing list archives

Re: I don't need no stinking firewall!
From: Joel Jaeggli <joelja () bogus com>
Date: Fri, 08 Jan 2010 13:40:49 -0800

bill from home wrote:
   This thread certainly has been educational, and has changed my
perception of what an appropriate outward facing architecture should be.
But seldom do I have the luxury of designing this from scratch, and also
the networks I administer are "small business's".
My question is at what size connection does a state table become
vulnerable, are we talking 1mb dsl's with a soho firewall?

some numbers,

100Mb/s will carry 220Kpps worth of 64byte packets, if this is a fairly
simple syn attack and your firewall can support 100k new connections a
second (that's a fairly fast firewall), you need less than 50Mb/s to
nuke it... the maximum size of the state table on a linux derived system
with 4GB of ram is north of a million connections so assuming the
session rate of the dos is trackable your firewall needs to start aging
connections out in an accelerated fashion after about 4 seconds
otherwise you're similarly hosed...

given the same firewall can probably forward 2-3mpps when it comes to
small packet you run out of state long before your run out of forwarding

Some kind of firewall device that you might put in front of a business
cable connection, or fractional ethernet is like to support a much lower
connection rate embedded Pentium equivalent or low to mid-range mips
might support a rate of 2-10k connections per second at which point the
thresh-hold for dosing it based on session rate is quite a bit lower
(quite a bit lower than that of a webserver or dekstop pc for example).
i.e. if 10kpps of dos will take it out that's like 5Mb/s on a device
that might other wise be able to forward 300-500Mb/s interface to
interface using large packet.

Or as I suspect we are talking about a larger scale?
I know there are variables, I am just looking for a "rule of thumb".
I would not want to recommend a change if it is not warranted.
But when fatter and fatter pipes become available at what point would a
change be warranted.

Bill Kruchas

Dobbins, Roland wrote:
On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote:

Further on, if you want to really protect against a real DDoS you
would most likely would have to look at a really distributed
solution, where the different geographical load balancing solutions
come into play.

GSLB or whatever we want to call it is extremely useful from a general
availability standpoint; however, the attackers can always scale up
and really distribute their already-DDoS even further (they learned
about routeservers and DNS tinkering years ago). 
Architecture, visibility, and control are key, as are
vendor/customer/peer/upstream/opsec community relationships.

Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]