This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Let's lower the testosterone, tease out the two discussions that are
running in parallel and find some useful points to share.

I hope we agree that:

1) stopping DDOS attacks directed AT you, from multiple (spoofed)
sources, is something few firewalls can do if the attack is
large/amplified/sustained. It's hard even with additional security
measures, and cooperation from upstream providers. If someone really
wants you badly and has the "connections" (pun intended) he can make
life pretty miserable for you irregardless of the firewall you use.
[Anycasting helped root name servers withstand DDOS amplification
attacks, perhaps this is promising for other applications.]

2) preventing hosts protected by a firewall you administer from acting
as sources for (1) is something firewalls can do (at least in a limited

My experience is that many firewall admins worry about (1) more than (2)
in part because DDOS attacks are familiar to the culture and the effects
of a DDOS attack directed at your organization often has a financial and
reputational impact. Only recently are botnets, fast flux hosting, and
other attacks earning "pop news" attention, so until recently, dedicated
and earnest security practitioners have encouraged (2).

Darren Reed wrote:
> Darden, Patrick S. wrote:
>> No offense, but both of you are wrong.
>> Properly configured, a simple firewall
>> CAN prevent most DOS attacks.
>> Check out this SANS bulletin on
>> "Defeating DDOS". Yes, that is my
>> name in the credits. Special task
>> force back in 2000. Sigh, and still
>> people don't know that you can use
>> a simple firewall to defeat most
>> DOS attacks... as long as you are
>> protecting the world from YOUR
>> network.
>> ....

> I see nothing in that article that explains how a firewall
> can be used to defend against a DOS (or DDOS) attack.
> All I see is how to avoid yourself from being used as the
> source of one - where source IP addresses are forged.
> When I've got an army of 100,000 pc's scattered around
> the globe ready to try and connect() to your web server
> (without spoofing an IP#), how does anything in that
> article help?
> Darren
> _______________________________________________
> firewall-wizards mailing list

Content-Type: text/x-vcard; charset=utf-8;
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;

fnavid Piscitello
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

firewall-wizards mailing list