sorry for top post.
Some better ISPs have options for rate limiting your connection in the event
of a DDOS, meaning their systems will take the brunt of the hit and not
route it to your firewall. this can vary from temporarily offlining you to
absorb the packet storm or dropping connection attempts after a set pps
level.
then again, this is also what right sizing your system load to handle and
making proper systems to handle the load. there has to be some set level at
which you will just stop trying to stay online and just offline yourself so
as not to be absorbing useless traffic.
In general I disagree with the idea as some servers/services are harder to
recover from DDOS attacks than the firewall filling its state table and
slowly dumping them. I've seen webservers going into full kernel panics
where a firewall/router taking the hit would have just locked up for a
minute or so.
In general it should be a multi-staged approach, not a single piece of
wondergear doing everything.
-Sean
-----Original Message-----
From: Charles N Wyble
Sent: Tuesday, February 01, 2011 6:39 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfsense and DDOS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/01/2011 11:25 AM, David Burgess wrote:
An article popped up on /. today, and although it's a poorly written
article, some of the ensuing discussion did provoke some thought.
http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse
Firewalls do make DDOS attacks worse in front of a large web farm. The
state tables get exhausted very quickly. The various large web farms out
there don't have a firewall in front of them. Just run limited ports.
Of course they also have load balancers, packet sprayers, CDN etc. Not
your typical environment.
So the thing I'm wondering now, is best practice in terms of hardening
pfsense against DDOS.
If it's a well executed DDOS, they can take you out with just a few
thousand pps. Just gotta know how to flood the session/state tables.
Granted with pfsense and an x86 box with lots of ram/cpu you'll probably
be fine for quite a while.
Do some research into the hardware router/firewall vs software based one
(in particular Linux based firewalling/routing) and you'll find all
sorts of material. BSD seems more mature.
- --
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy
oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp
mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw
ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3
V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF
NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz
Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT
lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk
YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd
vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl
qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1
08VDwOt9knO75hvfLLc8
=Nb1x
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
