[AusNOG] Protecting Web Hosting environments - was Re: DDOS mitigation

Dobbins, Roland rdobbins at arbor.net
Tue May 14 11:50:08 EST 2013


On May 14, 2013, at 7:36 AM, Seamus Ryan wrote:

> You don't have to be load balancing a site to protect it, a VS with no pool/node members will proxy (and inspect) traffic for just about anything.

It's pretty easy to knock over most load-balancers due to their stateful nature; I've seen 60 seconds of 6kpps (yes, six, not sixty or six hundred or six million) of HOIC take down a supposed 10gb/sec hardware load-balancer, forcing a reboot which, all told, required more than 30 minutes to complete.

> And if you are filtering in, why not filter outbound as well?

Outbound policy enforcement, like inbound policy enforcement, should be accomplished via stateless ACLs in hardware-based routers or layer-3 switches.  There is absolutely no cause for stateful traffic inspection of inbound traffic destined for servers, much less outbound traffic originating from them, and much to be said against it per the above.

If one is intent upon utilizing a load-balancer, stateless network policy enforcement for inbound traffic should take place northbound of it, and outbound stateless policy enforcement southbound of it.  For Web servers, reverse-proxy caches should be deployed southbound of the inbound policy enforcement ACLs but northbound of any load-balancers.

Load-balancers must also be protected against DDoS via S/RTBH, IDMS, et. al., just as if they were servers.  Self-protection (despite marketing assertions) won't cut it, due to the stateful nature of the devices themselves.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the AusNOG mailing list