While much can be done with Artica Firewall feature to block DDoS attacks, there is no way to bypass hardware firewalls to detect and stop large DDoS floods.
However, it's not impossible to filter out most bad traffic at line rate using Artica.
This Artica feature only cover protection from TCP-based attacks.
Most UDP-based attacks are amplified reflection attacks that will exhaust the network interface card of any common server.
The only mitigation approach that makes sense against these types of attacks is to block them at the edge or core network or even at the carrier already.This option as been added in Artica v4.40 or Artica v4.30 Service Pack 703
- On the left menu, choose “
Your Firewall > Parameters” ( see here for a complete explain ) - Choose the Network interface you want to protect.
- Turn on the Anti-DDOS option and click on Apply button.
This option will allow the Firewall to :
- Block Invalid Packets
- Block New Packets That Are Not SYN
- Block Uncommon MSS Values
- Block Packets With Bogus TCP Flags
- Block Packets From Private Subnets (Spoofing)
- Rejects connections from hosts that have more than 80 established connections
- Blocks fragmented packets
- Limits incoming TCP RST packets to mitigate TCP RST floods
- Mitigating SYN Floods With SYNPROXY