[funsec] so, is I[dp]S a STUPID technology?

Roland Dobbins rdobbins at cisco.com
Tue Oct 11 20:40:53 CDT 2005

I've an operational mindset; I care about things which are  
operationally feasible to deploy, maintain, which scale for large  
networks, and which are useful in an opsec context.

Boxes which maintain lots of state are not generally useful as DDoS  
protection mechanisms, as they're not optimized for it.  I've seen in- 
line IDS, firewalls, load-balancers, and so forth taken down by DoS  
traffic which wouldn't cause problems on a router or a switch, or a  
scrubber.  They simply aren't designed to handle it.

There are boxes which are designed specifically to handle DDoS.  I'm  
not a big fan of always-inline boxes, period; they complicate the  
troubleshooting matrix, they force symmetry into the topology where  
they're deployed, and they're performance bottlenecks.  Far  
preferable to use RTBH and/or to use sinkhole techniques to divert  
traffic of interest into the scrubber when needed, and then cease  
diversion when the incident has been handled.

On Oct 11, 2005, at 5:05 PM, Kyle Quest wrote:

> >To be clear, I don't do 'Cisco talk' - several vendors make scrubbing
> >boxes, just as several vendors (including Cisco) make firewalls  
> and IDS.
> It sure does sound like it though... It's ok though. It's hard to  
> avoid
> it once you're in the cisco mindset.
> >Small businesses can't rely upon in-line firewalls or IDS to defend
> >themselves against DDoS, either, in my experience.  Those are
> >primarily policy-enforcement devices, and irrespective of their other
> >possible merits, they generally aren't optimized for dealing with
> >DDoS (marketing claims aside).
> Maybe we're a little bit off on the difinitions. Given that you
> haven't defined what in-line firewalls (are there such things
> as off-line firewalls I wonder :-] ) and in-line IDS are,
> it's hard for me to be completely subjective. Either way,
> I wasn't talking about those (if you're talking about what I'm  
> thinking)...
> I was talking about specialized IPS systems designed to handle
> (D)DoS flood attacks. And if you meant those as well when you said
> "in-line firewalls or IDS", then I would have to disagree with you
> and suggest that you expand your "experience". There are indeed
> environments and deployments when a single (or an array of) in-line
> (D)DoS IPS systems work great at mitigating (D)DoS attacks and
> that's no marketing claims... Obviously, there are cases when they
> don't work well. I'm not claiming otherwise.
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things.

                       -- Doug Gwyn

More information about the funsec mailing list