Increase resistance to DDoS-attacks?

  • Before I start I am aware that full DDoS protection cannot be achieved with pfsense. One needs the ISP or so to mitigate the attack before it reaches our networks.

    Im looking for advice to increase the amount of PPS our firewall can handle. We have been hit with UDP DDoS attacks and our ISP protection for mitigating those have failed so our firewalls die during those attacks.

    The issue im having is that our firewalls start to have packet loss at an attack around ~40 Mbit/s which result in ~50-60k pps and 60% CPU usage (no big increase in states). The hardware is an old Dell 1850 with 4x2.8Ghz CPUs, 4GB DDR2 RAM and Intel NICs. I think it is the high PPS that is causing the firewalls to start dropping packages. From what i have read 50-60k pps is not that much and i would have expected to see more PPS before we start loosing packages.

    My questions to the ones that know more than me

    1. Can i in any way tune pfsense to manage more PPS than this?
    2. Can we invest in newer hardware to increase the amount of PPS we can swallow?

    Any documentation/sources for tuning pfsense to manage more PPS is appreciated!

  • The default setting for the firewall to log blocked packets. That could be adding a lot of load.

Log in to reply