All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anyone know of a good DDOS Firewall?
randvegeta
Member, Host Rep
Hello everyone.
I'm curious if anyone knows of a decent DDOS firewall, capable of handing a lot of traffic and high PPS.
I'm looking for something that could handle multiple 10G connections simultaneously. Possibly in the region of 100 mpps.
I was wondering as well if anyone has any experience with Mikrotik routers and if they are any good as firewalls? The MT routers are pretty damn cheap and they have impressive (claimed) specs. There is a new Cloud Core Router with a 72 core CPU, 16GB RAM and supposedly able to handle 120mpps and over 80Gbit of throughput. But that's routing capacity. As a firewall it would probably be significantly less but with 72 cores at it's disposal, it sounds like a bit of a beast. Anyone have any experience with these?
Comments
If you're running multiple 10GE's in a commercial setting then forget Mikrotik. Their Tilera boxes look good on paper but under heavy load things start going badly wrong. This is from personal testing with an Ixia load generator.
What is your budget for this router?
Hi Mark,
I have not actually tried MT before. On paper it looks amazing, but I've read on the forums they have a lot of old bugs that just seem to not get fixed.
I have not got a fixed budget but I am aware that such firewalls and routers can cost 10s (or even 100s) of thousands of dollars if you are going for brand names like Juniper or Cisco.
I'm not really looking to spend that kind of money. MAYBE 10K if it can really handle a decent amount of traffic. What do you have in mind?
You want a firewall or a router?
The PPS quoted on a lot of these units inc Juniper/Cisco is their 'optimal' performance ie when packets can be forwarded/switched with minimal overhead, complete, optimally sized.
Also note that Cisco has a habit of considering the packet in an out as 2 packets. So you need to validate that.
A firewall is what I'm interested in now. Though it's good to know of some routers too that can handle decent amount of traffic. These days though, it seems firewalls and routers are pretty much the same thing. All routers include firewall facilities, and I believe all firewalls include routing facilities no?
But mainly I'm looking for FIREWALL solutions.
No. Firewalls have nothing to do with routing/NAT.
I didn't say they did. I said that many firewalls INCLUDE the facility to DO routing.
Which take time away from other processes, you want to filter with your firewall and your router to just fling packets. At multi 10G links, please don't mix the two or you will be seriously disappointed.
Why is this being such a hot point?
I am fully aware they are separate things. I have no intention to mix the two. I am simply stating that devices that are meant to be used as routers often have firewall facilities built in, and visa versa. I actually know of no Firewall or Router that do not come with at least basic functionality of the other. Christ.
If you're looking the firewalls then focus 100% on firewall. You don't want them mixed.
Remember for DDOS mitigation, a traditional firewall is not necessarily the best way to go about it.
Juniper SRX5800's provide wirespeed firewalling for upto around 10 line-rate 10GE ports. It depends on the level of inspection you want to run and the type of traffic you're running eg TCP/UDP (makes quite a difference to performance), level of properly formed packets, etc.
If you drop the DPI then you can get a lot more line-rate 10GE ports being processed.
The key is to contact vendors and design a validation test that either you run with them or have them ship the equipment to you and run the testing in your lab.
That is one hefty Firewall. Looks to be more than $10k, even second hand though.
You need to start by defining number of ports, number of packets, levels of inspection/classification, number of rules, etc.
Once you have that then you can scale out your firewall from.
The SRX5800 are really good firewalls, possibly overkill for your application but you have not defined how many 10GE ports, your actual throughput and your expected PPS.
When DDOS's take place often the attacker(s) will drop the packet size down to minimal to choke up routers/firewalls. Add some invalid headers and it just contributes to choking up the router.
We found this with Juniper's MX960 (and almost the whole range) routers, they are very susceptible to this type of attack because the routing engines CPU is very small compared to the total traffic the box can move. The Routing Engines are very easy to choke up at which point services on the router start failing and forwarding stops.
10k? per what, month?
A good appliance without code - Tilera and alike - sets you back at LEAST 50k, a good one with code/interface at least 100k.
For anything less - and 10k NRC is nothing - you better buy some nice Dual E5-2690, add 32GB RAM (because why not!) and 2 nice network cards (with hardware offload, optional also an SSL FPGA but CPU does that fine) and just roll your own shit on BSD. A nice setup this way does 20G+.
10k to purchase or build a firewall. I am well aware this does not really buy much in the world of Cisco, Juniper or other 'brand name' Enterprise network equipment vendors.
We certainly don't have any need for this kind of capacity. We are mainly HK based and traffic is far too expensive to have multiple 10Gbit connections.
I am doing something of a feasibility study on setting up a DDOS mitigation service in Asia. Multiple locations are needed and each location will need a proper firewall. Multiple locations means spending 100K+ in each location is not in any way feasible. 10K, maybe, depending on what it can do.
Can a Xeon server really be any good as a Firewall? 20G+ ? Impressive if true.
If you require an enterprise solution, with support, then I would recommend Arbor. The two common devices are Arbor Pravail (for small-scale filtering and including application layer) and Arbor Peakflow.
Signatures are based on the cloud, with sharing from many large ISPs.
However, I'm sure these devices retails for over 30K.
http://www.arbornetworks.com/products
As others stated, building your own solution can easily save costs.
With recent Endace DAG NICs you can get pretty good performance, but when I tested you're looking at around 200,000 PPS per card if the packets are formed properly. If the packets aren't properly formed then the PPS drops significantly.
Irrespective of firewall, you still need a tonne of bandwidth, and you're going to need a decent set of routers that can handle the PPS you're looking to move.
You are HIGHLY underestimating what kind of data a modern Xeon can move.
Aparantly. Such a server would cost on a few thousand. A FRACTION of a propper Firewall.
What about the software and known attack vectors? With price tags of 100k+, are you paying for hardware or the known types of attacks that it has 'learned' to defend against?
200 kpps doesnt sound like that much. I would imagine that attacks may have 10s or even 100s of mpps.