My point is, any finite limit can be exceeded. In days of old, it was state tables and file descriptors. Now it's bandwidth. Filtering doesn't matter once the packet has traveled down your finite link to your packet filter. That bandwidth has been used, and denied service to a legitimate user that wanted his packet to go to your server.
Mostly, you're right, it comes down to luck. Attackers don't get the chance to do a daily dev / qa / release cycle. They write something, push it to a bunch of users who hate Amazon and Paypal today, and that's the end of it. If they wrote good code, the attack will be good. If they need to tweak something, they missed the opportunity.
My point is, any finite limit can be exceeded. In days of old, it was state tables and file descriptors. Now it's bandwidth. Filtering doesn't matter once the packet has traveled down your finite link to your packet filter. That bandwidth has been used, and denied service to a legitimate user that wanted his packet to go to your server.
Mostly, you're right, it comes down to luck. Attackers don't get the chance to do a daily dev / qa / release cycle. They write something, push it to a bunch of users who hate Amazon and Paypal today, and that's the end of it. If they wrote good code, the attack will be good. If they need to tweak something, they missed the opportunity.
That's what's saving everyone here -- luck.