I can see the benefit of splitting off the web server in the case of a DDOS attack but from the perspective of the user of your web site users the application is still down even if the back end app and db server are still running. They can't respond to any requests because they don't get any. So on one physical system or two the application is down and will not be back up until the DDOS attack stops.
Of course this is just one possible attack but for many others the result is the same. The backend server may be protected but if it can't be accessed because the web server component is down.
-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich
Sent: Wednesday, May 13, 2009 7:32 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] More on iSeries web apps and security
but it seems to me that the best defence is to stop DDOS attacks at a
network level, using routers and firewalls
No argument, but it depend on the DDOS attack. Fair enough, 50K people
doing 1/2 opens should be noticed by a _good_ firewall (how many have
_good_ firewalls?) but what about 50K people issuing valid HTTP requests
for
http://yoursite/fakefile.jsp? Harder to see. Point is, we can come
up with a response to anything they throw at us (probably), but they
have to throw it first. Do _you_ want to be the one that says "Gee
sorry, we didn't think of that"
-Walden
As an Amazon Associate we earn from qualifying purchases.