the only way to really survive a ddos without affecting connectivity in any shapoe or form is to have a bigger pipe then the other end<s> does. idiots trying to ddos from a cable connection or dialup are not a problem and sufferable. Those a tad higher in technical advancement with a bot net and tousands of zomies to attack from are likely to bring even the biggest pipes to a dead halt, at least getting in and our of the firewall gateway is impossible. Traffic on the inside should be unaffected.
I've suffered attacks with a firewall not doing connection tracking and had no problems with either the firewall failing or suffereing a reboot. I have yet to suffer such an attack on a staeful firewall, but tend to think I should suffer no less with such a firewall in place as apposed to an the older mere packet filters I've been replacing over time. Course, it helps to have enough RAM in the firewall in the firstplace...
pipes size and RAM, them be the keys to surviival.
Thanks,
That´s the point. With professional DDoS attacks we are talking about people using their botnets and zombies and in total they can reach a bandwidth beyond the Gbit border. Not really easy to handle such packet storm ;).
