[Removed]



  • [Removed]



  • Nope.  Services like Cloudflare use a global load-balancing system to help protect their clients.  Anyone selling something can make all the claims they want, but you're not going to mitigate a large DDoS attack with pfSense and a single puny WAN link.  It doesn't matter how big or how smart your doorman is, if he has to cope with a million people per second trying to get in your door, it's chaos all round.



  • @KOM:

    Nope.  Services like Cloudflare use a global load-balancing system to help protect their clients.  Anyone selling something can make all the claims they want, but you're not going to mitigate a large DDoS attack with pfSense and a single puny WAN link.  It doesn't matter how big or how smart your doorman is, if he has to cope with a million people per second trying to get in your door, it's chaos all round.

    Ha. I like it. :)



  • @Carreswag:

    Yes but what if you used RTBH with it? Large UDP floods could be stopped correct? Other question: Also fastnetmon is open source and free, and he claims to push extreme bandwidth through it. Does it seem as if fastnetmon works? http://www.lowendtalk.com/discussion/43473/open-source-ddos-dos-monitoring-toolkit-fastnetmon

    It doesn't do what you think it's doing. fastnetmon is only watching traffic and detecting attacks, it's not pushing, routing or blocking anything. It probably misses a bunch of attack traffic, but that's fine given it's a flood and it doesn't need everything or even a majority of traffic to detect attacks. It feeds routers with RTBH. If you feed a really, really fast router with it, that router can drop the traffic in question up to Mpps like he says no problem. But it's dropping everything to the destination IP in question, it's just a means of automatically null routing an attacked IP to keep it from affecting other things on your network.

    @Carreswag:

    Also I only want to know about the capabilities of the hardware and software involved.  Let's pretend we have a 10gbps line and that an attacker can only send 8-9Gbps :)

    For the usual large UDP packet flood, something like an XG-1540 could block 8-9 Gbps of 1500 byte UDP packets without having a significant impact. That type of attack's easier to handle though, outside the bandwidth exhaustion issues.

    You'll quickly find yourself in trouble if you're trying to mitigate DDoS with any stateful firewall, especially if passing the traffic.


Log in to reply