Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    90 Million Max Firewall States Possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 945 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MasterCyrex
      last edited by

      Hello, I've done some brief testing with 20 million maximum firewall states on pfsense and it seems to work fine but the 4 core cpu that was assigned to the pfsense vm didn't cut it, instead it was constantly crashing pfsense when i was stressing with a 20 GBPS attack i think because the cpu is being overloaded. The max firewall states is set at 20,000,000
      I was wondering if i could do the same thing with 96gb of ram and a 12 core cpu, and would the cpu be sufficient?

      1 Reply Last reply Reply Quote 0
      • H Offline
        Harvy66
        last edited by

        Depends on the attack. FreeBSD has some O(nm) algorithms that can effectively create an O(n^2) situation. 90mil^2 = 8,100,000,000,000,000 operations. Assuming one cycle average per operation, that's 675,000 seconds or 7.8days of work for a quad-core 3ghz system. And with these events occurring at a rate of (20Gb/s)/64bytes=39,062,500/sec, you will acquire 834,760 days of computational work in one second. Even if they got the algorithm to O(n), you're still talking about 914 days of work per second. Even O(log n) would be 3 days of work per second. Anything less than O(1) will probably have issues with 90mil states.

        On the other hand, most of FreeBSD's network algorithms are O(1), but an attacker worth their salt won't be attacking these, they'll be going after the painful ones.

        1 Reply Last reply Reply Quote 0
        • M Offline
          MasterCyrex
          last edited by

          @Harvy66:

          Depends on the attack. FreeBSD has some O(nm) algorithms that can effectively create an O(n^2) situation. 90mil^2 = 8,100,000,000,000,000 operations. Assuming one cycle average per operation, that's 675,000 seconds or 7.8days of work for a quad-core 3ghz system. And with these events occurring at a rate of (20Gb/s)/64bytes=39,062,500/sec, you will acquire 834,760 days of computational work in one second. Even if they got the algorithm to O(n), you're still talking about 914 days of work per second. Even O(log n) would be 3 days of work per second. Anything less than O(1) will probably have issues with 90mil states.

          On the other hand, most of FreeBSD's network algorithms are O(1), but an attacker worth their salt won't be attacking these, they'll be going after the painful ones.

          So what would be the best solution to my problem, would i need alot more processing power, a better cpu? Would it still prevent at least a 60gpbs ddos attack with 90 Million states and 12 cores? All i'm looking to withstand is DNS, SSYN, NTP, Chargen attack

          1 Reply Last reply Reply Quote 0
          • H Offline
            heper
            last edited by

            you don't want any software firewall to handle ddos. you need specialized hardware for this & is best dealt with upstream.

            imho its a waste of time & money to even attempt this with pfSense

            1 Reply Last reply Reply Quote 0
            • H Offline
              Harvy66
              last edited by

              @MasterCyrex:

              @Harvy66:

              Depends on the attack. FreeBSD has some O(nm) algorithms that can effectively create an O(n^2) situation. 90mil^2 = 8,100,000,000,000,000 operations. Assuming one cycle average per operation, that's 675,000 seconds or 7.8days of work for a quad-core 3ghz system. And with these events occurring at a rate of (20Gb/s)/64bytes=39,062,500/sec, you will acquire 834,760 days of computational work in one second. Even if they got the algorithm to O(n), you're still talking about 914 days of work per second. Even O(log n) would be 3 days of work per second. Anything less than O(1) will probably have issues with 90mil states.

              On the other hand, most of FreeBSD's network algorithms are O(1), but an attacker worth their salt won't be attacking these, they'll be going after the painful ones.

              So what would be the best solution to my problem, would i need alot more processing power, a better cpu? Would it still prevent at least a 60gpbs ddos attack with 90 Million states and 12 cores? All i'm looking to withstand is DNS, SSYN, NTP, Chargen attack

              If you can accord 8,451,945,000,000,000,000 quad core 3ghz CPUs to process that 64Gb/s of line rate DDOS, go for it. Personally, I don't have 8 Sextillion dollars burning a hole in my pocket.

              In case you're wondering
              Billion, Trillion, Quadrillion, Quintillion, Sextillion

              DDOS will continue to hurt until they get some O(1) algorithms.

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                A firewall is not a DDoS mitigation device. Some cases can be helped by a firewall, but as has been mentioned, it's a problem best solved upstream or with specialized hardware that is dedicated only to DDoS mitigation.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.