1. Thousands of servers? My largest client has about 10K desktops, but no more than 40 servers in its largest data center. Astaro IPS will catch this just fine.
A colocation room in a large datacenter can host thousands of servers. I know: the one we're using for our hosted services does.
2. The goal is to prevent the attack in the first place, not to minimize its effect. My question is why the IntelliGuard doesn't prevent the access that allows modification of the webpage in the first place.
Since you're on the receiving end, there is nothing you can do to prevent such an attack. You can only try to mitigate it.
5. I'm not sure I understand the issue. If there are so many packets that the pipe is fully used, dropping them at the speed of the pipe won't allow "good" traffic through.
The network security system has to analyze each packet separately This means that, even without using the complete available bandwidth, you can still overload the security device by sending small packets. If you're doing deep packet inspection, the situation can grow even worse since the security device will have to remember the state of the session until it has enough of the payload data to make a decision about whether to drop it or forward it.
Also, remember that a network security device typically has to protect many systems. This means that it might have to do a LOT more work than any of the individual machines behind it to recompose a packet, requiring more memory, CPU time and internal bandwidth. An attack made of lots and lots of very small TCP packets forming valid HTTP requests sent to a number of web sites hosted behind a single security device can very well force it to drop legitimate packets to process the flood. Since these packets will be retried, legitimate clients will also participate in the DOS because they will send more packets for the same query.
The alternate appliance promoted doesn't seem relevant to the average Astaro user, the small to mid-sized enterprise and the advanced home user. At its high price it targets a different kind of network, and the device is a single purpose device. There may be value in putting such a device in front of a UTM solution, but in the large enterprise datacenter environment where it would seem to fit- there are already superior alternate solutions which are not a single-purpose point solution. (Forgive me for not promoting them by name, some also compete in the SMB UTM market).
Also, the attack by "a few zombies" is theoretically interesting, but with the resurgence of Storm (remember a few months ago when MS told us their MRST had "killed" Storm- yeah, I didn't believe it, either) and appearance of many newer botnets, there are now more bots available than ever. The global economic situation has also hit the underground, large botnet rental rates are anecdotally the cheapest they have ever been- if an attacker wishes to take someone off the Internet the surest way is to simply fill the pipe and not worry about defenses. Back to the ISP (and your relationship with them) here to have any hope of addressing it. As far as the perimeter security device being exposed to more traffic and attacks than any individual device behind it- absolutely true and one of the reasons the systems have to be sized appropriately for the environment.
To flip the question, how well does the proposed alternative handle web and email content filtering, VPN, QoS, uplink failover, HTTPS inspection (7.4), IM/P2P management, WAN load balancing and traffic prioritization (7.4), etc.?
Channeling my inner redneck, let me sum it up this way: I wouldn't ask my coonhound to catch mice, nor would I ask my cat to tree a raccoon.
I think it is fair to point out that Mr. Baker is the founder and CEO of IntelliGuard.
I would expect him to be proud of his company and their product line, but I do not believe this is the most appropriate method or venue for promotion of either.
