Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Login

    [Removed]

    Off-Topic & Non-Support Discussion
    4
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Carreswag
      last edited by

      [Removed]

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Nope.  Services like Cloudflare use a global load-balancing system to help protect their clients.  Anyone selling something can make all the claims they want, but you're not going to mitigate a large DDoS attack with pfSense and a single puny WAN link.  It doesn't matter how big or how smart your doorman is, if he has to cope with a million people per second trying to get in your door, it's chaos all round.

        1 Reply Last reply Reply Quote 0
        • N
          Nullity
          last edited by

          @KOM:

          Nope.  Services like Cloudflare use a global load-balancing system to help protect their clients.  Anyone selling something can make all the claims they want, but you're not going to mitigate a large DDoS attack with pfSense and a single puny WAN link.  It doesn't matter how big or how smart your doorman is, if he has to cope with a million people per second trying to get in your door, it's chaos all round.

          Ha. I like it. :)

          Please correct any obvious misinformation in my posts.
          -Not a professional; an arrogant ignoramous.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @Carreswag:

            Yes but what if you used RTBH with it? Large UDP floods could be stopped correct? Other question: Also fastnetmon is open source and free, and he claims to push extreme bandwidth through it. Does it seem as if fastnetmon works? http://www.lowendtalk.com/discussion/43473/open-source-ddos-dos-monitoring-toolkit-fastnetmon

            It doesn't do what you think it's doing. fastnetmon is only watching traffic and detecting attacks, it's not pushing, routing or blocking anything. It probably misses a bunch of attack traffic, but that's fine given it's a flood and it doesn't need everything or even a majority of traffic to detect attacks. It feeds routers with RTBH. If you feed a really, really fast router with it, that router can drop the traffic in question up to Mpps like he says no problem. But it's dropping everything to the destination IP in question, it's just a means of automatically null routing an attacked IP to keep it from affecting other things on your network.

            @Carreswag:

            Also I only want to know about the capabilities of the hardware and software involved.  Let's pretend we have a 10gbps line and that an attacker can only send 8-9Gbps :)

            For the usual large UDP packet flood, something like an XG-1540 could block 8-9 Gbps of 1500 byte UDP packets without having a significant impact. That type of attack's easier to handle though, outside the bandwidth exhaustion issues.

            You'll quickly find yourself in trouble if you're trying to mitigate DDoS with any stateful firewall, especially if passing the traffic.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post