Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Q: pfSense and DDoS

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xevon
      last edited by

      Hello,

      We have a dell machine which has dual E5520 xeons, 8gigs of memory and a fine intel adapter. I'd like to use pfSense and Snort together on that machine to block a 350-400mbit/s DDoS syn attack. I want to run pfSense as a transparent firewall in front of the router(as in WAN->pf->router->LAN). I'm currently recieving this kind of attacks at approximately the mentioned rate and my current configuration cannot hold against it.

      According to these, my questions are:

      • Can pfSense(and its kernel)+snort easily hold against the attack that is mentioned above? (because I'm expecting much more. More than 500mbit/s)
      • Does Snort has rulesets and algorythms for blocking DDoS?
      • How much the machine that has been mentioned above can hold upto, according to your experiences?

      Thanks in advance,

      1 Reply Last reply Reply Quote 0
      • E
        evildave
        last edited by

        @xevon:

        Hello,

        We have a dell machine which has dual E5520 xeons, 8gigs of memory and a fine intel adapter. I'd like to use pfSense and Snort together on that machine to block a 350-400mbit/s DDoS syn attack. I want to run pfSense as a transparent firewall in front of the router(as in WAN->pf->router->LAN). I'm currently recieving this kind of attacks at approximately the mentioned rate and my current configuration cannot hold against it.

        According to these, my questions are:

        • Can pfSense(and its kernel)+snort easily hold against the attack that is mentioned above? (because I'm expecting much more. More than 500mbit/s)
        • Does Snort has rulesets and algorythms for blocking DDoS?
        • How much the machine that has been mentioned above can hold upto, according to your experiences?

        Thanks in advance,

        350mbps of SYN works out to about 680,000 pps, which is pushing the envelope of what commodity PC hardware (even high-end gear) can forward.

        You really need a device which can do filtering in hardware to handle pps levels like this.

        1 Reply Last reply Reply Quote 0
        • S
          subfire91
          last edited by

          how can you measure the size of syn attacks in mbit/s??

          1 Reply Last reply Reply Quote 0
          • E
            evildave
            last edited by

            @subfire91:

            how can you measure the size of syn attacks in mbit/s??

            Interface line rates on your border router minus the historical value of normal traffic at that time of day on that interface.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.