I run several Ubuntu Servers (virtualized) and have fail2ban installed for DDOS mitigation. For a firewall, each server has iptables.
I'm evaluating my security options and was wondering how well fail2ban protects you from DDOS attacks vs. a dedicated hardware appliance? And, is a hardware firewall going to provide you better/more protection than iptables (or is it just higher up in the stack)?
If it's a real DDoS attack, nothing on your local network will stop it. You'll need the cooperation of your upstream provider. By the time the packets are being discarded at your end, they'll still be clogging your pipe.
There are many reasons to use a hardware firewall vs software ones (features, ease of management, central point of logging, etc) but as far as DDoS goes, neither are adequate for a real attack of any size.
I think you've been listening to too much marketing guff.
There is no real difference between what you call a hardware firewall and a software one. Both are driven by software.
The so called hardware firewall is also a computer but without some of the peripheral interfaces like USB or SATA. A number of them even run Linux and IPTables under the hood but have provided a nice web interface. Others provide their own operating system that in my opinion may have less features and be no more tested than iptables.
So is there any good reason to buy a "hardware firewall"? well perhaps. Generally they are well supported and provide a very polished user interface and good support. They also look very sleek in your rack. However, there are now really polished linux/freebsd distributions that provide the same thing and you can run it on a normal computer or custom hardware. e.g. Untangle, Astaro, Monowall, pfSense etc, I don't see such a big advantage.
Now when it comes down to a DDoS attach, there is absolutely no way to protect against it. If you could prevent those packets being sent at source then that would be the answer but you can't.
A few years back I recall a case where a big company caused a stir in the IT world and within days their website was flooded in a DDoS attack. In the end they had to abandon their primary domain name and change it to another name. Even they couldn't do much about it with their big IT budget.
