Re: [fw-wiz] Firewalls that generate new packets..
- From: "Jerry B. Altzman" <jbaltz@xxxxxxxxxxx>
- Date: Wed, 28 Nov 2007 14:36:43 -0500
on 2007-11-28 08:21 Darden, Patrick S. said the following:
No offense, but both of you are wrong.
Properly configured, a simple firewall
CAN prevent most DOS attacks.
I am really confused here. I've read BCP38 (which your paper obliquely
references). I guess you mean: if I have a firewall, I can prevent DOS
attacks from *originating from my network*, as opposed to what I see as
the more popular interpretation of "help you against DOS attacks" to
mean "mitigate the damage of DOS attacks inbound on my network".
Check out this SANS bulletin on
"Defeating DDOS". Yes, that is my
name in the credits. Special task
force back in 2000. Sigh, and still
people don't know that you can use
a simple firewall to defeat most
DOS attacks... as long as you are
protecting the world from YOUR
network.
I can do all the source filtering I want, but if I'm receiving 500 Mpps
of DDOS, my firewall's gonna keel over and die. (Maybe I'm off by 10 dB
or so...)
Any plan of action that depends on the compliance of vendors and
everyone else on the Internet is...well, I'd love the IOS command that
would allow me to configure my neighbor's router.
--p
//jbaltz
--
jerry b. altzman jbaltz@xxxxxxxxxxx www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darden, Patrick S.
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] DMZ to INSIDE Communication
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
|
