1

Is using Free/Open BSD + pf a workable option for filtering DDoS? Which of the two would perform better under heavy load? (SYN flood maxing a 1 gbit pipe)

Is this even an option to consider, or is a full hardware DDoS filter needed to get fast enough performance?

Maxwell
  • 5,026
  • 1
  • 25
  • 31
Eric
  • 573
  • 3
  • 8

2 Answers2

1

Using any firewall as DDoS protection is a bad idea. DDoS attacks hit the most resource-intensive portion of any firewall, evaluating its ruleset for huge numbers of new connections. DDoS attacks melt down any firewall very quickly. How quickly and how big of an attack one can handle depends on how big of a firewall. In general, you don't want to look at a firewall as a solution to help with DDoS attacks as it will most likely become the most susceptible thing on your network to succumbing to those attacks.

Chris Buechler
  • 2,938
  • 14
  • 18
  • This is not true. Get a firewall that can handle line-rate so it doesn't melt. It can be very useful, for example if it employs a synproxy. – Craig Jan 14 '15 at 23:33
  • It's absolutely true. It's 4 years later so things are a little diff today, but still today finding a firewall that'll handle line rate multi-Gb at 64 byte frames is difficult to impossible depending on what options you want to or can afford to consider. It's much more practical to find something that'll do 1 Gb line rate with 64 byte frames today than it was in 2011. Just multiply that 1 Gb a few times to take into account the years, and it's still true today. – Chris Buechler Jan 16 '15 at 06:50
  • It's easy to say "don't look at a firewall". But what should he be looking at then? True, for DDoS it's best to align with your provider and have them filter the malicious traffic out. Even if your firewall can handle it, if your 1Gbps link is maxed out, you can't run your business anymore. – Tommiie Sep 14 '18 at 13:10
1

I think that pf can handle (synproxy,urpf and syncache tuning) this correctly on decent hardware without a problem using Freebsd or OpenBSD. I'll tend to use OpenBSD because i'm more familiar with it.

Maxwell
  • 5,026
  • 1
  • 25
  • 31
  • Do you have any sort of benchmark reference? synproxy is what I was looking at though; if it can process enough traffic fast enough, it would do what's needed. – Eric Jul 08 '09 at 07:14
  • I would say that FreeBSD will perform a little better (like 2-3%) than OpenBSD with he same hardware. This article discuss pf performance but is probably a little outdated now: http://www.benzedrine.cx/pf-paper.html – Maxwell Jul 08 '09 at 07:26
  • FreeBSD is likely to scale quite a bit better, since it's networking is quite a bit less locky. PF will still run single threaded though, so it may not scale to 1Gb/s – Cian Jul 08 '09 at 09:15