The DDoS mitigation performance of Wanguard Filter

Wanguard Filter can mitigate DDoS attacks by controlling the Linux-based iptables software firewall, the hardware packet filter included in a few NIC chipsets such as Intel 82599 or Chelsio T5, or other third-party firewalls, routers or mitigation appliances.

These two supported traffic-filtering methods complement each other performance-wise and feature-wise:
  • The software firewall is very flexible, but it might not be fast enough to handle a full 10 GbE link, especially when dealing with small packets.
    Wanguard Filter does not use the connection tracking system specific to stateful firewalls, and this ensures a much better filtering and switching performance. Still, it's very hard to estimate the filtering performance you are going to get, since the packet filter's capacity depends on many parameters such as CPU type/speed/cache, Linux kernel version, NIC chipset, NIC driver, attack type, server load, routed traffic size, multi-core balancing of hardware interrupts, number of existing rules, and so on.
    You can find several iptables benchmarks on the web, although most of them are related to stateful filtering.
  • The hardware packet filter can drop 10G traffic at wire-speed without straining on the CPU and interrupt system. Currently, it is only able to apply a subset of filtering rules available to the software firewall.
When a DDoS attack saturates the uplink bandwidth or is above the capacity of the filtering server(s), Wanguard Sensor is able to BGP black-hole/null-route the attacked destinations, or could send a BGP FlowSpec announcement that blocks the attack on the border router.
Multiple filtering servers can be deployed in a cluster-like architecture that load-balances packet filters.

Andrisoft Team
Date Created
2014-01-22 14:42:10
Date Updated
2017-11-30 01:11:05