Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

DOS rate limiting real life performance

Just wanted to hear from those who have deployed DOS rate limiting option (How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher) )

I realise that FWs are not really DDOS appliances and are not there to prevent such attacks but it would be interesting to hear if you have worked and seen CP DOS rate limiter in action!

We had some "real life tests" recently on 23800. That was proper UDP volume attack in attempt to fill the internet pipe. 

We have 16 SXL cores (HT), running R80.40 T139. normally carrying < 1M pps. Attack pushed it to 18Mpps and FW survived. Of course internet connectivity was a bit patchy due to RX-DRP on interface. SXL cores were pushed to 100% understandably. One before was little milder at 7Mpps and FW feared better than. Graph below shows half of the incoming packet rate

image.png

 

 

 

Here's just a sample of one SXL core CPU load:

image.png

 

 

The feeling I get is that with current 16 SXL core setup we could probably survive 5Mpps  without any problems.

Just to be clear - I refer to packets per second, bit bits 🙂

Anyone else has played with DOS rate limiter? Are you "happy" with it?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

The rate limiter is there to help the appliance handle volumetric DDOS situations...better.
It's not going to fully mitigate a DDOS, but can be useful as a part of an overall strategy.

0 Kudos