This is a discussion on [fw-wiz] ***SPAM*** Re: Firewalls that generate new packets.. - Firewalls ; This is a multi-part message in MIME format. --------------010700000502080006020608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Let's lower the testosterone, tease out the two discussions that are running in parallel and find some useful points to share. I hope we agree ...
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Let's lower the testosterone, tease out the two discussions that are
running in parallel and find some useful points to share.
I hope we agree that:
1) stopping DDOS attacks directed AT you, from multiple (spoofed)
sources, is something few firewalls can do if the attack is
large/amplified/sustained. It's hard even with additional security
measures, and cooperation from upstream providers. If someone really
wants you badly and has the "connections" (pun intended) he can make
life pretty miserable for you irregardless of the firewall you use.
[Anycasting helped root name servers withstand DDOS amplification
attacks, perhaps this is promising for other applications.]
2) preventing hosts protected by a firewall you administer from acting
as sources for (1) is something firewalls can do (at least in a limited
My experience is that many firewall admins worry about (1) more than (2)
in part because DDOS attacks are familiar to the culture and the effects
of a DDOS attack directed at your organization often has a financial and
reputational impact. Only recently are botnets, fast flux hosting, and
other attacks earning "pop news" attention, so until recently, dedicated
and earnest security practitioners have encouraged (2).
Darren Reed wrote:
> Darden, Patrick S. wrote:
>> No offense, but both of you are wrong.
>> Properly configured, a simple firewall
>> CAN prevent most DOS attacks.
>> Check out this SANS bulletin on
>> "Defeating DDOS". Yes, that is my
>> name in the credits. Special task
>> force back in 2000. Sigh, and still
>> people don't know that you can use
>> a simple firewall to defeat most
>> DOS attacks... as long as you are
>> protecting the world from YOUR
> I see nothing in that article that explains how a firewall
> can be used to defend against a DOS (or DDOS) attack.
> All I see is how to avoid yourself from being used as the
> source of one - where source IP addresses are forged.
> When I've got an army of 100,000 pc's scattered around
> the globe ready to try and connect() to your web server
> (without spoofing an IP#), how does anything in that
> article help?
> firewall-wizards mailing list
Content-Type: text/x-vcard; charset=utf-8;
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
Content-Type: text/plain; charset="us-ascii"
firewall-wizards mailing list