-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/01/2011 11:25 AM, David Burgess wrote: > An article popped up on /. today, and although it's a poorly written > article, some of the ensuing discussion did provoke some thought. > > http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse
Firewalls do make DDOS attacks worse in front of a large web farm. The state tables get exhausted very quickly. The various large web farms out there don't have a firewall in front of them. Just run limited ports. Of course they also have load balancers, packet sprayers, CDN etc. Not your typical environment. > > > So the thing I'm wondering now, is best practice in terms of hardening > pfsense against DDOS. If it's a well executed DDOS, they can take you out with just a few thousand pps. Just gotta know how to flood the session/state tables. Granted with pfsense and an x86 box with lots of ram/cpu you'll probably be fine for quite a while. Do some research into the hardware router/firewall vs software based one (in particular Linux based firewalling/routing) and you'll find all sorts of material. BSD seems more mature. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3 V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1 08VDwOt9knO75hvfLLc8 =Nb1x -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org