-1

When speaking about the DDoS protection, I can understand that it is massively dependent on the filter capacity.

When building your own DDoS protection, it is dependent on the amount of traffic you can filter, and if DDoS attack exceeds that limit, there's no other possibility to filter other traffic and it will reach back-end and therefore make back-end unavailable.

But how is this filter capacity increased? If for example I go and buy Firepower 9300 and connect it to my network before my router and therefore back-end, or exchange my router with this firewall, as it says it has 1.2 Tbps clustered throughput, does it mean I will be able to filter 1.2 Tbps of DDoS traffic potentially and block up to 1.2 Tbps size of DDoS attack? Or to filter more traffic I will need exactly to call my provider and ask for an increase in bandwidth of my internet uplink and that will be the maximum traffic I can handle?

dnleiman
  • 23
  • 4

2 Answers2

3

To filter 1.2 Tbps of traffic coming down one pipe, you would first need the capacity to receive 1.2 Tbps of traffic in the first place. Ie, you would need both massive available bandwidth and massive hardware capacity for routing and filtering.

For DDoS (distributed being the key word) it generally makes more sense to filter close to each source, like for instance major CDN providers do, than to wait until all the traffic has been routed to one place and have added to up something that is, quite possibly, unmanageable.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
1

as [the firewall] says it has 1.2 Tbps clustered throughput, does it mean I will be able to filter 1.2 Tbps of DDoS

No. You need to do a serious threat and capacity assessment to understand what your limits are in mitigating a DDoS threat.

  • You need more bandwidth than the attack to continue serving legit requests.
  • Firewalls probably will hit their packet per second limits long before throughput. A big single firewall might handle single digit millions of packets per second, large attacks exceed 100Mpps.
  • Maximums for a clustered system are not the limits of one node. One node is much smaller capacity, sometimes reduced by what features you use. So you need to buy lots to scale out.

Tens of 100 Gbps Internet links plus as many large firewalls is expensive and may stress the transit of your providers. Naturally DDoS mitigation services would use a CDN-style distributed network to spread the load.

You likely will not face a threat of record size. But this scale is not theoretical, GitHub weathered a 1.3 Tbps attack.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34