1

I run a gaming community on a colo with a 100Mbps port. I want to buy a very cheap 35 dollar server with the same 100Mbps port, and run pfSense to use as a hardware firewall. I'm dealing with a bunch of 14 year old kids that have access to botnets, so it can become a bit necessary to get something like this. My overall question, is using pfSense on a cheap identical datacenter/port speed server worth it to actually block DDoS attacks?

A bit more into detail since I assume you will ask this, the attacks we receive are normally around 1Gbps. We currently run CentOS using CSF Firewall, and even when using a software firewall, we block 500Mbps UDP floods, or just generic attacks pretty easily.

Thanks, - Necro

Jeremy
  • 11
  • 1
  • 3

1 Answers1

2

This depends on the kind of DoS attack you're talking about.

If you're talking about a bandwidth exhaustion attack this won't help: You'll still saturate your uplink and wind up going down (or at least suffering serious performance problems).
To mitigate this kind of attack your ISP would have to block the attacks before they reach your server/port. (Your ISP would also need to have enough bandwidth to absorb the attack. If you're really seeing 1Gbit/sec in traffic your ISP is likely to ask you to find a new home.)

If you're talking about a true DDoS (Distributed Denial of Service) a simple firewall may not be adequate, and companies like Arbor Networks have solutions specifically designed to help deal with this - as you can imagine the price tag is rather formidable.

On the other hand if you're talking about resource exhaustion attacks on the server (tying up all the TCP connections for example) a pfSense box (or any other kind of dedicated firewall) can help, if properly configured.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Linking to arbor network products is a total overkill in this case. There are free application firewall products that could help. – Mxx Nov 10 '12 at 17:59
  • 2
    @Mxx an application firewall will not mitigate "1Gb/sec" traffic (especially if his uplink is only 100Mbit) - it *MUST* be mitigated upstream, and if that number is actually valid and the attack actually distributed I know of no free product that offers the quality and responsiveness in mitigation that the Arbor options do. If you would like to propose an alternative solution please feel free to do so. – voretaq7 Nov 10 '12 at 18:53
  • If it's a bandwidth exhaustion attack, then obviously it must be mitigated upstream. However, if this is an application resource exhaustion attack, application firewall should be able to help. – Mxx Nov 10 '12 at 22:30