ddos / no connection tracking / tarpitting
lopsch at lopsch.com
Sat Apr 23 01:05:52 CEST 2005
R. DuFresne schrieb:
> the only way to really survive a ddos without affecting connectivity in
> any shapoe or form is to have a bigger pipe then the other end<s> does.
> idiots trying to ddos from a cable connection or dialup are not a
> problem and sufferable. Those a tad higher in technical advancement
> with a bot net and tousands of zomies to attack from are likely to bring
> even the biggest pipes to a dead halt, at least getting in and our of
> the firewall gateway is impossible. Traffic on the inside should be
> I've suffered attacks with a firewall not doing connection tracking and
> had no problems with either the firewall failing or suffereing a reboot.
> I have yet to suffer such an attack on a staeful firewall, but tend to
> think I should suffer no less with such a firewall in place as apposed
> to an the older mere packet filters I've been replacing over time.
> Course, it helps to have enough RAM in the firewall in the firstplace...
> pipes size and RAM, them be the keys to surviival.
That´s the point. With professional DDoS attacks we are talking about
people using their botnets and zombies and in total they can reach a
bandwidth beyond the Gbit border. Not really easy to handle such packet
More information about the netfilter