[AusNOG] web App firewalls.

Andrew Fort afort at choqolat.org
Fri May 28 14:01:42 EST 2010


On Fri, May 28, 2010 at 1:40 PM, David Hughes <David at hughes.com.au> wrote:
>
> On 28/05/2010, at 1:20 PM, Peter J. Cherny wrote:
>
>> If the device is a LB e.g. Alteon or F5 ...
>> ... what state do think it's tracking ?
>>
>> I think terminology is getting in the way of understanding the
>> functionality.
>
> Well, any sort of load balancer by definition must keep track of where it's balanced the load.  Also, seeing as an LB is basically a NAT device, it's got a stack of state to remember.  If you fill the connection table on an LB or FW device the boxes behind it go off the air.  Sounds like a great way to DOS yourself :)
>

That having been said, there are most definitely load balancers used
in front of the highest volume sites you use every day, but they're
really there to do one thing: make the IP address(es) that were
offered to you via DNS fan out to many front-end machines.

In this environment, DDoS protection becomes part architecture (where
does your ingress traffic from particular sources or parts of the
Internet hit your frontends?), part software on your front-ends (e.g.,
send captchas or block prefixes at your clusters of front-ends based
on very limited state collection and back-end hinting, which due to
your architecture, will see similar sources) and a large helping of
operational foo.

-a



More information about the AusNOG mailing list