[Removed]



  • [Removed]



  • I don't think there is a firewall on earth that will handle a 1 Gbps SYN flood, if it's traffic you're passing. Not about the bandwidth, it's that that's near 2.5 million new connections/sec. pf can't handle anywhere near that today. The fastest Cisco ASA you can buy only does 350,000 new connections/sec. Firewalls are the wrong answer for DDoS.



  • @cmb:

    I don't think there is a firewall on earth that will handle a 1 Gbps SYN flood, if it's traffic you're passing. Not about the bandwidth, it's that that's near 2.5 million new connections/sec. pf can't handle anywhere near that today. The fastest Cisco ASA you can buy only does 350,000 new connections/sec. Firewalls are the wrong answer for DDoS.

    Edge network firewalls are always the wrong answer for volumetric DDoS and currently wrong for DDOS in general. Kernel programmers are finally getting around to using proper SMP scaling designs. Check back in 5 years. Soon they'll have proper lock-free designs. It's not a technological limitation, just lots of old code that needs to get refactored. Making kernels more SMP friendly is an iterative evolutionary process that naturally takes a while. It's getting there.

    FreeBSD is talking about a per-core state table, no more locking to read/write/update the state table, flow aware network APIs that can allow a given flow to run on the same core that owns the state, allowing for zero network related locking all the way from the NIC to the program back to the NIC. Couple that with zero-copy, and you have a winning combo for very high performance networking. Lost of work to reduce locking and context switching.



  • Forget about Cisco, for over 500.000 con you can go with F5 system, it can take the beat, and about the nix system wait until 2025 for this to work … even if the kernel will be optimized it will get problems with other like irq, balancing,



  • @Mup:

    Forget about Cisco, for over 500.000 con you can go with F5 system, it can take the beat,

    Which is a load balancer, not a firewall. Yes, you want a load balancer for this type of thing, not a firewall.



  • Which is a load balancer, not a firewall. Yes, you want a load balancer for this type of thing, not a firewall.

    Here you are wrong with the part of firewall, F5 system does have firewall and other things…



  • Here you are wrong with the part of firewall, F5 system does have firewall and other things…

    Others are also offering those devices as well, but they want to see money for this also as well.

    Corero SmartWall TDS
    For off-premises smaller ISPs, Cloud Services & Datacenter & CDNs:
    Pricing for the SmartWall TDS appliances start at $250,000 for a 40Gbps configuration.

    Corero DDoS Defense System
    For on-premises side (customers side) like enterprise companies and big business players
    Corero DDS 75 EC - DDS 2400 ES you are paying from ~$18.000 - $135.000
    From 300 MBit/s throughput till 10 GBit/s throughput.

    So and please what has this to do with the OpenSource pfSense firewall?
    If I really turn many services on, installing many packets it is in my eyes
    walking in the range of an UTM device and/or GBP router with firewall rules
    and capable to work in HA mode on top.

    The next range would be then the NG Firewall that is working application based
    and ASIC/FPGA supported.

    It is a tital other range of devices and offered services that must not be done by the pfSense
    Firewall it selfs. in many diagrams the Corero DDoS Defense System is placed directly in
    front of the ordinary company firewall. That means that the firewall such as pfSense is one of
    them must be stay behind of this devices! Perhaps F5 has another client circle to offer other
    things such as load balancers, but then I ask my self why you are writing this inside of the
    pfSense forum?



  • @Carreswag:

    Makes sense. To take on an attack of this type, you gotta spread the load. What if one were to spread the load across many powerful pfsense boxes? Or maybe a system where different boxes have different rules/tasks? Also whats the highest pps pfsense has done so far?

    It's not so much a PPS issue as much a slow-path issue. There are DDOS attacks that can cause FreeBSD to consume large amounts of CPU. Kind of like a slow path in a web app where someone can trigger garbage collection. Rate limiting or deprioritizing those slow paths would allow established connections to continue to work, but new connections would have major issues.

    What would be nice is a way to rate limit slow paths per interface so you could do something like rate limit on the WAN side, but not the LAN side. At least the network would be partially working instead of dead in the water.



  • Yes, some DDOS attacks it shrugs off like nothing is happening. The single IP SYN flood did little to my system other than eat states. DDOS syn flood crushed me. I am going off of memory, which is known to not be 100% accurate. Don't take this is fact.



  • @Carreswag:

    My box didn't do so well against a 400mbps synflood :( most of the time i get weak udp attacks due to cheap booter claiming they hit at some crazy high number when they actually run on a crappy shared line. Any tips for reducing load on the box under a synflood?

    Determine and address the bottleneck (CPU, memory, state table size, un-established connection timeout, etc.).


Log in to reply