I own an Information Security consulting firm. People pay us (very well) to hack into their networks, do onsite security assessments, do incident response, nail employees gone bad, fix their firewalls, roll out VPNs, and other such things.
A bad day at my company is better than a good day just about anywhere else.
Our line of work is the most fun... We get PAID to do what we love.
I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.
We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.
Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.
If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success.
Steve
Slashdot Mirror
I own an Information Security consulting firm. People pay us (very well) to hack into their networks, do onsite security assessments, do incident response, nail employees gone bad, fix their firewalls, roll out VPNs, and other such things.
A bad day at my company is better than a good day just about anywhere else.
Our line of work is the most fun... We get PAID to do what we love.
http://www.networkarmor.com
Applicable to the DDoS problem.
I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.
We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.
Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.
If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success. Steve