ddos / no connection tracking / tarpitting

Daniel Lopes lopsch at lopsch.com
Sat Apr 23 01:05:52 CEST 2005

R. DuFresne schrieb:
> the only way to really survive a ddos without affecting connectivity in 
> any shapoe or form is to have a bigger pipe then the other end<s> does. 
> idiots trying to ddos from a cable connection or dialup are not a 
> problem and sufferable.  Those a tad higher in technical advancement 
> with a bot net and tousands of zomies to attack from are likely to bring 
> even the biggest pipes to a dead halt, at least getting in and our of 
> the firewall gateway is impossible.  Traffic on the inside should be 
> unaffected.
> I've suffered attacks with a firewall not doing connection tracking and 
> had no problems with either the firewall failing or suffereing a reboot. 
> I have yet to suffer such an attack on a staeful firewall, but tend to 
> think I should suffer no less with such a firewall in place as apposed 
> to an the older mere packet filters I've been replacing over time.  
> Course, it helps to have enough RAM in the firewall in the firstplace...
> pipes size and RAM, them be the keys to surviival.
> Thanks,

That´s the point. With professional DDoS attacks we are talking about 
people using their botnets and zombies and in total they can reach a 
bandwidth beyond the Gbit border. Not really easy to handle such packet 
storm ;).

More information about the netfilter mailing list