Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's not strictly true. On the very high end, in products sold pretty much only to ISPs, you can get source address filtering for hundreds of thousands of sources for established connections, and you can get SYN proxying to have the head-end complete the 3WH before your downstream connection ever sees those SYNs.


From my experience at ISPs

they tend to be very cost conscious, and far more likely to use a NIX box to do this sort of thing. ISPs are generally competing in a comparatively low-margin market. Usually it's the large corporations with less NIX knowledge (and someone else's money to spend) where I see the really high end firewall/proxy/load balancer gear.


Your experience conflicts sharply with mine; maybe you're thinking about a different tier of ISP.


openbsd has synproxy

http://www.openbsd.org/faq/pf/filter.html#synproxy

and urpf

http://www.openbsd.org/faq/pf/filter.html#urpf

which sounds a lot like the features you describe.


Yes, now do that at several million packets per second.


ah. sorry. I was under the impression that this was a sub 100Mbps attack.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: