Is it possible to stop 2 GBPS UDP flood attack ?



  • Hi,

    I represent a gameserver company and we are getting ddos every day.

    Normally they throw up to us 700-800 MBPS. Our catalyst 2960G presents packet loss ( we have 1gbps uplink and switch is 48 ports - 1000 MBPS ).

    Sometimes we get 2,3 gbps ( UDP, flood attack allways ).

    I was thinking to put a firewall between our ISP router ( plenty capable ) and our catalyst, but I saw that some commercial hardware anti DDOS systems aren't cheap  ( http://www.fortinet.com/products/fortiddos/index.html )

    So, before anything, dou you think that pfsense suits for this scneario ? ( Of course I can achieve a bigger pipe before, but I think this won't be much problem, for example 4gbps )

    My question is, will my state table be full in seconds ? ( for example for 900K packets per second )

    The idea is to put this on one of our dedicated servers ( quad core + 4 or 8 gb ram for example and 10 GB NIC )

    Any info would be much appreciated.

    Regards,



  • Any firewall is the wrong answer to mitigating large scale DDoS. It's why the firewall vendors sell DDoS mitigation appliances and not firewalls for such circumstances. You'll blow up the state table, and/or hit the maximum new connections per second that any firewall can handle, very quickly in such circumstances.


  • Banned


  • Banned

    This is one of the reasons you want L7 inspection in the FW itself.

    It will help you on DDos on the application level.



  • @Supermule:

    This is one of the reasons you want L7 inspection in the FW itself.

    It will help you on DDos on the application level.

    No, it'll just melt down your firewall much, much faster because of the higher overhead of greater inspection.



  • Limit connections/second on wan rules to force ddos ips to get included on deny lists could be an cheap work around?  ???


Locked