ISP DDoS Protection

  • I work for an ISP company, and for last 2 days our SSG network is under DDoS attack and users are complaining about very slow Internet access with high packet drop rate. We have been using pfSense for ipsec vpn connection between ISP and main telecom company and now we need to put all network behind a firewall if it is possible to protect network from DDoS attacks. Can we use pfSense for this job, what firewall rules we should add?


  • LAYER 8 Netgate

    A firewall is not any protection against DDoS.

  • Thanks Derelict,

    I think we need not firewall rules but policy rules for DDoS.

  • You need your upstream provider to help you mitigate the attack.

    Have you been in contact with them?

  • Hi chpalmer,
    Yes, but their DDoS protection service is too expensive, they ask 2000 dollars per month.

  • LAYER 8 Netgate

    If your pipe is full, it is full. There is nothing you can do about that after the traffic is already in the pipe.

  • This seems to be a very popular misconception -- that a firewall at the endpoint can stop or mitigate a DDoS attack.

    A little bit of Google research, if you are new to network protection and security, would go a long way toward understanding what a DDoS actually is, what the symptoms are and where it must be remediated.

    Hint -- it's not with a firewall at your end of the connection. It's at your ISP's end of the connection, and if you are an ISP, it's at the higher tier ISP or bandwidth provider's endpoint that you are connected to for your Internet connection. Your upstream provider has to stop putting the DDoS traffic into your connection pipe. Once all those DDoS packets are in your Internet pipe, as @Derelict said, your pipe is full and that's that -- nothing a firewall at your end can do then.

Log in to reply