1) A properly configured FreeBSD router/firewall will handle 200k+ connections per second
2) Configure the firewall to proxy TCP hand-shakes, so your web servers don't get flooded with syn packets unless the hand-shake actually finishes
3) Mid-grade nginx web server will handle 70k+ requests/sec
4) Setup your DNS to round-robin to several web servers
Between your firewall and your webserver rules, you should be able to filter most obvious DDOS's. That which you can't filter, you'll just have to brute-force it and suck it up.
Your web servers can handle more requests than you have bandwidth, the next bottle-neck is your database.
There is not "silver bullet" like you said, but a properly designed system should be robust enough to leave your bandwidth your bottle-neck
Most web apps I see aren't designed to properly make use of SQL. It's like someone trying to shoe-horn procedural logic into a database. Gotta get your DB architect to work with the programmers.
A properly architected web app with a properly architected DB should be able to handle more requests than your bandwidth can handle.
The only real DDOS to worry about is a flood and you can't really stop that unless it's a simple up-stream change. Enough machines DDOS'n ping floods at you will take you down. Filter all you want at your router, you won't have the bandwidth. Would be too simple to filter up-stream. A bunch of random forged TCP packets will suck up your bandwidth. If the attack is well distributed, ain't not'n you can do about it.
There is not "Silver Bullet" like you said, but a properly designed system should have bandwidth as its bottle-neck
Dark Matter is the mysterious gravity, but Dark Energy is the repulsive force that they speculate is causing us to drift apart. From what I understand and read, Dark Matter is about 100% certain, but Dark Energy is closer still to a hypothesis.
They sold some, they licensed some. If they couldn't make use of some patents that MS really wanted, then selling them was a good strategy.
"We continue to hold a valuable patent portfolio as highlighted by the license we entered into with Microsoft"
"Well imagine a world in which technical DRM is about 10X stronger"
It wouldn't sell, they would go under. The "RedHat" business model would take over.
The first few times I use SpinRite was after I tried several other options. Several days of trying to recover user data, and SR did it effortlessly. All of the other options fell flat.
"large population of testimonials that prove that "it works"."
I've been out of IT for 4.5 years now, but we had brand-new computers coming through where spin-rite did raise them from the dead long enough to grab the data. We tried several name brand drive recovery tools and SR was the only useful one.
Outside of SSDs, I'm not sure how much has changed in ~5 years that spin-rite is useless. AHCI an issue?
Said company is actively ENCOURAGING the user to break a valid contract. I'm pretty sure that if the terms of employment require breaking legally binding contracts, someone can be sued.
"Oddly enough Lasik surgeries haven't gone up in price. It isn't covered by insurance."
While my insurance doesn't "cover" Lasik, I get about a 50% discount because of insurance negotiations with regional hospitals.
Hospitals price gouge, insurance companies get bulk near whole-sale rates, then insurance re-sells the same stuff back to the people for a price less than the hospitals.
Since many of our local hospitals are best in the nation, when people come from out of state, they effectively pay out-of-state costs, while in-state people get negotiated discounts.
Yay, free-market.
Our insurance company talked to us about why insurance rates are going up. It's the lack of people who actually have insurance. If people can't afford regular health-care, they put off going in to see the doctor. When they wait too long, it becomes critical. That person goes to the hospital and the hospital HAS to cover them. It's a 100% loss, so the hospital has to jack up the rates for "paying" customers.
As more people lose insurance, more and more people don't pay anything when they go to the hospital. Even worse, is when they finally do go, it costs more for the hospital to cover an emergency situation than it does to cover general check-ups.
Since we can't have hospital going under and they can't turn people away (mission statement and law), the state has to help subsidize them.
Here's a question for people to ponder. On average it costs tax payers about $250k for a couple to raise a child to 18. Then the kid goes on to college to get another $100k in debt. That is $350k right there. Then the kid gets a minor health issue, but no one wants to cover him because it might cost tax payers $500. The kid dies, then we're out $350k, plus any lost earning that kid would have made over their life-time. On average, letting people die to simple issues costs money.
In my economics class many years back, the teacher showed sources that in hospitals 50% of every dollar you spent went into overhead for paperwork. Medicare claims only had about 5% overhead. Universal Health Care would dramatically reduce the paper work, which seems to be half of the cost.
I am not saying you're argument is wrong, but it is a delicate balancing act.
Universal healthcare is the next step in social evolution, right after clean water and sewage. Everyone benefits from it, but it needs to be properly balanced.
"Having a transparent caching proxy easily saves a medium sized company 20-40% bandwidth"
Or they could setup the proxy settings on their machines. If you have control of your network devices, you don't require a "transparent" proxy, use a regular proxy.
Probably one of those many distributed P2P CA systems everyone has been talking about for the past few years. They come up every time a CA has an issue.
"The bufferbloat "movement" infuriates me because it's light on science and heavy on publicity." Of the articles I've read on it, they've been VERY heavy on science.
"merely shortening the buffers is definitely the wrong move" Who is saying this? The issue that I have read about talks about the HUGE difference in performances of different links. If you have a 10Gb card and have a 1Mb link, the buffers are grossly different in size. To fix TCP, we can't look at packet-loss, we need to look at latency.
The problem is "how" you discover the base latency for a path without the routers telling you and how that algorithm interacts with many streams. There are many cases TCP needs to cover. There are decent algorithms that are better than the current TCP, but no one wants to mass-deploy those changes before it becomes standard.
"With cable you don't know the conditions of the wire so this trick is impossible." You haven't worked with DOCSIS3.0+channel-bonding+CDMA. I get less latency and less jitter on my DOCSIS3 connection to my ISP than my mom's fiber connection. How your ISP implements your connection makes a HUGE difference.
Your main argument is great, they're actually the SAME argument these "bufferbloat" evangelists are preaching. So you are also part of the "bufferbloat movement" that you talked down about in your first sentence.
"If your TCP flow-control packets are subject to QoS prioritisation ( as they should be ) then bufferbloat is pretty much moot."
Are you saying backbone routers should implement QoS?
What about how TCP naturally harmonizes when too many connections start to build?
QoS doesn't solve the latency issue, it just pushes the latency down to the "lower priority" streams. It still doesn't solve the issue when thousands of TCP connections harmonize and ramp up all at the same time and fill a buffer until packet loss occurs for all streams, then suddenly all of the TCP connections collapse and the link went from over-utilized to under-utilized.
Steam is a convenience for control trade-off. For most people it is not an issue, but at least your point makes sense, unlike most other people just going "ZOMG DRM, Steam is horrible"
As much as you hate Steam's DRM, I hate purchasing physical media. To each their own.
"UNTIL they go to try it in few years and realise they cannot play"
We need a legal way to punish companies who do this kind of stuff. Any game that has a single player mode should be required to have a permanent offline mode that does not require activation, unless there is some game-breaking feature that is absolutely required for the core game-play that requires an internet connection. Achievements, friend's list, etc do not count.
The sales company should have some amount of responsibility to the customer past the sale. One could argue malicious intent or a bait an switch style thing. "here's a game that won't work". Like a car explicitly designed designed to kill itself. LEMON LAW!
Obviously my idea needs to be refined for words, but the "spirit" of the idea is understandable. There should be no "self destruct" mechanism. "My bicycle lost internet connection, so it refuses to work"
And Microsoft dumps billions into collaborative research. Many modern system designs from CPU to memory to IO to Networking were spear-headed by MS research. I can enjoy the stereotyping of MS as a soulless company that ships insecure products while adding nothing of value.
Some times we like to stereotype for fun. This is why Taantric said '[...]honour Steve Jobs with the "Borg"/. thumbnail'
Anyway, you can't deny that Apple got to 100bil without price gouging(aka ripping off) its customers. They may have a decent product, but they still over charge, which is also "evil". We just choose to focus on the evil MS does while also focusing on the good Apple does.
Apple pushes code upstream to FreeBSD. Apple doesn't have to worry about *having* to share code, but lets them choose which code to share. FreeBSD has benefited from this.
When you give money into a KickStarter project, you are in the exact same boat, except you aren't allowed to treat your donated money as an investment, outside of the good generated.
If they pass this, then at least I would have a *chance* at getting a return on my money. When given the choice between a $100 "donation" and a $100 "investment", but both ways I get a video-game out of it, I'll take the investment.
Most companies have coasted by with bad security practices, now they have to up their game. Boo f'n hoo.
CEOs tell us "sucks to be you, suck it up" when it comes to their monopolies. I say the same thing back at them. Actually employee decent programmer, engineers, admins, and managers. Quality > Quantity?!
1) A properly configured FreeBSD router/firewall will handle 200k+ connections per second
2) Configure the firewall to proxy TCP hand-shakes, so your web servers don't get flooded with syn packets unless the hand-shake actually finishes
3) Mid-grade nginx web server will handle 70k+ requests/sec
4) Setup your DNS to round-robin to several web servers
Between your firewall and your webserver rules, you should be able to filter most obvious DDOS's. That which you can't filter, you'll just have to brute-force it and suck it up.
Your web servers can handle more requests than you have bandwidth, the next bottle-neck is your database.
There is not "silver bullet" like you said, but a properly designed system should be robust enough to leave your bandwidth your bottle-neck Most web apps I see aren't designed to properly make use of SQL. It's like someone trying to shoe-horn procedural logic into a database. Gotta get your DB architect to work with the programmers.
A properly architected web app with a properly architected DB should be able to handle more requests than your bandwidth can handle.
The only real DDOS to worry about is a flood and you can't really stop that unless it's a simple up-stream change. Enough machines DDOS'n ping floods at you will take you down. Filter all you want at your router, you won't have the bandwidth. Would be too simple to filter up-stream. A bunch of random forged TCP packets will suck up your bandwidth. If the attack is well distributed, ain't not'n you can do about it.
There is not "Silver Bullet" like you said, but a properly designed system should have bandwidth as its bottle-neck
Dark Matter is the mysterious gravity, but Dark Energy is the repulsive force that they speculate is causing us to drift apart. From what I understand and read, Dark Matter is about 100% certain, but Dark Energy is closer still to a hypothesis.
They sold some, they licensed some. If they couldn't make use of some patents that MS really wanted, then selling them was a good strategy. "We continue to hold a valuable patent portfolio as highlighted by the license we entered into with Microsoft"
"Well imagine a world in which technical DRM is about 10X stronger" It wouldn't sell, they would go under. The "RedHat" business model would take over.
I leave my blinds/drapes open. Does that mean you can look through my windows?
Fixed that analogy for you. Now it works with data.
The first few times I use SpinRite was after I tried several other options. Several days of trying to recover user data, and SR did it effortlessly. All of the other options fell flat.
"large population of testimonials that prove that "it works"."
"so do homeopathic recipes."
"so does Linux" - "so does Spin rite"
One is different than the others.
I've been out of IT for 4.5 years now, but we had brand-new computers coming through where spin-rite did raise them from the dead long enough to grab the data. We tried several name brand drive recovery tools and SR was the only useful one.
Outside of SSDs, I'm not sure how much has changed in ~5 years that spin-rite is useless. AHCI an issue?
Said company is actively ENCOURAGING the user to break a valid contract. I'm pretty sure that if the terms of employment require breaking legally binding contracts, someone can be sued.
"Oddly enough Lasik surgeries haven't gone up in price. It isn't covered by insurance."
While my insurance doesn't "cover" Lasik, I get about a 50% discount because of insurance negotiations with regional hospitals.
Hospitals price gouge, insurance companies get bulk near whole-sale rates, then insurance re-sells the same stuff back to the people for a price less than the hospitals.
Since many of our local hospitals are best in the nation, when people come from out of state, they effectively pay out-of-state costs, while in-state people get negotiated discounts.
Yay, free-market.
Our insurance company talked to us about why insurance rates are going up. It's the lack of people who actually have insurance. If people can't afford regular health-care, they put off going in to see the doctor. When they wait too long, it becomes critical. That person goes to the hospital and the hospital HAS to cover them. It's a 100% loss, so the hospital has to jack up the rates for "paying" customers.
As more people lose insurance, more and more people don't pay anything when they go to the hospital. Even worse, is when they finally do go, it costs more for the hospital to cover an emergency situation than it does to cover general check-ups.
Since we can't have hospital going under and they can't turn people away (mission statement and law), the state has to help subsidize them.
Here's a question for people to ponder. On average it costs tax payers about $250k for a couple to raise a child to 18. Then the kid goes on to college to get another $100k in debt. That is $350k right there. Then the kid gets a minor health issue, but no one wants to cover him because it might cost tax payers $500. The kid dies, then we're out $350k, plus any lost earning that kid would have made over their life-time. On average, letting people die to simple issues costs money.
In my economics class many years back, the teacher showed sources that in hospitals 50% of every dollar you spent went into overhead for paperwork. Medicare claims only had about 5% overhead. Universal Health Care would dramatically reduce the paper work, which seems to be half of the cost.
I am not saying you're argument is wrong, but it is a delicate balancing act.
Universal healthcare is the next step in social evolution, right after clean water and sewage. Everyone benefits from it, but it needs to be properly balanced.
"Having a transparent caching proxy easily saves a medium sized company 20-40% bandwidth"
Or they could setup the proxy settings on their machines. If you have control of your network devices, you don't require a "transparent" proxy, use a regular proxy.
Probably one of those many distributed P2P CA systems everyone has been talking about for the past few years. They come up every time a CA has an issue.
I thought the opensource mentality was "stop your b!@#$%^g and fork it" /s
In all seriousness, they need a standard interface for plugins to... plug in to?
"The bufferbloat "movement" infuriates me because it's light on science and heavy on publicity."
Of the articles I've read on it, they've been VERY heavy on science.
"merely shortening the buffers is definitely the wrong move"
Who is saying this? The issue that I have read about talks about the HUGE difference in performances of different links. If you have a 10Gb card and have a 1Mb link, the buffers are grossly different in size. To fix TCP, we can't look at packet-loss, we need to look at latency.
The problem is "how" you discover the base latency for a path without the routers telling you and how that algorithm interacts with many streams. There are many cases TCP needs to cover. There are decent algorithms that are better than the current TCP, but no one wants to mass-deploy those changes before it becomes standard.
"With cable you don't know the conditions of the wire so this trick is impossible."
You haven't worked with DOCSIS3.0+channel-bonding+CDMA. I get less latency and less jitter on my DOCSIS3 connection to my ISP than my mom's fiber connection. How your ISP implements your connection makes a HUGE difference.
Your main argument is great, they're actually the SAME argument these "bufferbloat" evangelists are preaching. So you are also part of the "bufferbloat movement" that you talked down about in your first sentence.
"If your TCP flow-control packets are subject to QoS prioritisation ( as they should be ) then bufferbloat is pretty much moot."
Are you saying backbone routers should implement QoS?
What about how TCP naturally harmonizes when too many connections start to build?
QoS doesn't solve the latency issue, it just pushes the latency down to the "lower priority" streams. It still doesn't solve the issue when thousands of TCP connections harmonize and ramp up all at the same time and fill a buffer until packet loss occurs for all streams, then suddenly all of the TCP connections collapse and the link went from over-utilized to under-utilized.
QoS is just a band-aid.
Steam is a convenience for control trade-off. For most people it is not an issue, but at least your point makes sense, unlike most other people just going "ZOMG DRM, Steam is horrible"
As much as you hate Steam's DRM, I hate purchasing physical media. To each their own.
"UNTIL they go to try it in few years and realise they cannot play"
We need a legal way to punish companies who do this kind of stuff. Any game that has a single player mode should be required to have a permanent offline mode that does not require activation, unless there is some game-breaking feature that is absolutely required for the core game-play that requires an internet connection. Achievements, friend's list, etc do not count.
The sales company should have some amount of responsibility to the customer past the sale. One could argue malicious intent or a bait an switch style thing. "here's a game that won't work". Like a car explicitly designed designed to kill itself. LEMON LAW!
Obviously my idea needs to be refined for words, but the "spirit" of the idea is understandable. There should be no "self destruct" mechanism. "My bicycle lost internet connection, so it refuses to work"
And Microsoft dumps billions into collaborative research. Many modern system designs from CPU to memory to IO to Networking were spear-headed by MS research. I can enjoy the stereotyping of MS as a soulless company that ships insecure products while adding nothing of value.
Some times we like to stereotype for fun. This is why Taantric said '[...]honour Steve Jobs with the "Borg" /. thumbnail'
Anyway, you can't deny that Apple got to 100bil without price gouging(aka ripping off) its customers. They may have a decent product, but they still over charge, which is also "evil". We just choose to focus on the evil MS does while also focusing on the good Apple does.
Biases, gotta love them. They make us "human".
Apple pushes code upstream to FreeBSD. Apple doesn't have to worry about *having* to share code, but lets them choose which code to share. FreeBSD has benefited from this.
Apple still commits some changes in OSX back into FreeBSD. It is still Unix at its heart.
When you give money into a KickStarter project, you are in the exact same boat, except you aren't allowed to treat your donated money as an investment, outside of the good generated.
If they pass this, then at least I would have a *chance* at getting a return on my money. When given the choice between a $100 "donation" and a $100 "investment", but both ways I get a video-game out of it, I'll take the investment.
But the motivation determines if it is a crime in the first place.
Kill someone with malice, got to prison, kill someone in self defense, no prob.
Most companies have coasted by with bad security practices, now they have to up their game. Boo f'n hoo.
CEOs tell us "sucks to be you, suck it up" when it comes to their monopolies. I say the same thing back at them. Actually employee decent programmer, engineers, admins, and managers. Quality > Quantity?!
"What can you do?"
Sue? A publicly traded company should not be able to play favorites when it comes to license enforcement.
I wonder if a masters in CS from UW-Madtown might be "over qualified" for IT :P
Great for management I suppose.
UW.. b|atches!