On 23/10/2007, Tony Sarendal  wrote:

quoted text
> On 10/23/07, Henning Brauer  wrote:

> >

> > * Tony Sarendal  [2007-10-22 18:33]:

> > > I didn't get that opinion from marketing.

> > > No matter, we disagree, lets leave it at that.

> >

> > well, yeah, nontheless, I wanna point out the essence why stateful is

> > better (the way we do it in OpenBSD):

> >

> > 1) it moves the limit where the box starts to suffer from overload quite

> >    far, or, in other words, the box can handle a much larger amount of

> >    traffic before it starts to drop stuff. thus it can withstand bigger

> >    amounts of (D)DoS too.

> > 2) once it gets to that point, it is more selective in dropping packets

> >    than a stateless box, as it prefers established connections. this

> >    behaviour cannot be valued enough in (D)DoS type of situations.

>

>

> I wish to implement things in a way where the link is the limitation,

> not the box. But there is no point in re-doing that discussion.

>

> When I have some time free I'll test it in the lab to see that difference in

> behaviour.

I know very little, but I would like to note that some providers (

http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the

express purpose of offering dDoS protection. That has to count for

something.
OTOH, Henning's word alone would be enough for me, because AFAIK

Henning wrote actual pertinent code and knows darn friggin well what

he's talking about. Did you contribute as much code to OpenBSD/pf as

Henning? Are you sure your understanding is deeper than his? (No

offense, by the way, all in good humour.)
Cheerio,

--ropers