Your upstream link is 1 Gbps. The attack is 10 Gbps. Your edge router can’t help — the link is already saturated before packets reach you.
Edge DDoS mitigation isn’t about stopping massive volumetric attacks. It’s about protecting against smaller attacks, reducing collateral damage, and buying time until upstream mitigation kicks in.
Edge mitigation buys time. It’s not a complete solution, but it’s better than nothing.
What Edge Routers Can Do
Effective Against
- Application-layer attacks (HTTP, DNS)
- SYN floods (up to link capacity)
- Slowloris-style attacks
- Amplification from your network
- Small-scale volumetric attacks
Not Effective Against
- Attacks larger than your upstream link
- Sophisticated distributed attacks
- Attacks that saturate your ISP’s network
Rate Limiting
Basic Rate Limiting with Firewall
configure
# Rate limit incoming connections per sourceset firewall ipv4 name WAN-IN rule 50 action dropset firewall ipv4 name WAN-IN rule 50 recent count 100set firewall ipv4 name WAN-IN rule 50 recent time minuteset firewall ipv4 name WAN-IN rule 50 state newset firewall ipv4 name WAN-IN rule 50 description "Rate limit: 100 new conn/min/source"
commitRate Limit Specific Services
configure
# Rate limit SSH connectionsset firewall ipv4 name WAN-LOCAL rule 100 action dropset firewall ipv4 name WAN-LOCAL rule 100 destination port 22set firewall ipv4 name WAN-LOCAL rule 100 protocol tcpset firewall ipv4 name WAN-LOCAL rule 100 recent count 5set firewall ipv4 name WAN-LOCAL rule 100 recent time minuteset firewall ipv4 name WAN-LOCAL rule 100 state newset firewall ipv4 name WAN-LOCAL rule 100 description "SSH: Max 5 new conn/min/source"
# Allow SSH that passes rate limitset firewall ipv4 name WAN-LOCAL rule 101 action acceptset firewall ipv4 name WAN-LOCAL rule 101 destination port 22set firewall ipv4 name WAN-LOCAL rule 101 protocol tcpset firewall ipv4 name WAN-LOCAL rule 101 state new
commitRate Limit DNS Queries
configure
# Protect DNS server from amplification abuseset firewall ipv4 name WAN-IN rule 200 action dropset firewall ipv4 name WAN-IN rule 200 destination port 53set firewall ipv4 name WAN-IN rule 200 protocol udpset firewall ipv4 name WAN-IN rule 200 recent count 50set firewall ipv4 name WAN-IN rule 200 recent time secondset firewall ipv4 name WAN-IN rule 200 description "DNS: Max 50 queries/sec/source"
commitConnection Limits
Limit Concurrent Connections
configure
# Limit connections per source IPset firewall ipv4 name WAN-IN rule 60 action dropset firewall ipv4 name WAN-IN rule 60 conntrack connection-limit source-mask 32set firewall ipv4 name WAN-IN rule 60 conntrack connection-limit count 100set firewall ipv4 name WAN-IN rule 60 state newset firewall ipv4 name WAN-IN rule 60 description "Max 100 concurrent connections/IP"
commitConntrack Table Protection
configure
# Increase conntrack table sizeset system conntrack table-size 524288
# Aggressive timeouts during attackset system conntrack timeout tcp time-wait 30set system conntrack timeout tcp close 10set system conntrack timeout udp other 30
commitSYN Flood Protection
SYN Cookies
# Enable SYN cookies (usually enabled by default)configureset system sysctl parameter net.ipv4.tcp_syncookies value 1commit
# SYN cookies allow handling SYN floods without conntrack exhaustionSYN Rate Limiting
configure
# Limit SYN packets per sourceset firewall ipv4 name WAN-IN rule 70 action dropset firewall ipv4 name WAN-IN rule 70 protocol tcpset firewall ipv4 name WAN-IN rule 70 tcp flags synset firewall ipv4 name WAN-IN rule 70 recent count 20set firewall ipv4 name WAN-IN rule 70 recent time secondset firewall ipv4 name WAN-IN rule 70 description "SYN flood protection"
commitInvalid Packet Dropping
Drop Malformed Packets
configure
# Drop invalid state packetsset firewall ipv4 name WAN-IN rule 1 action dropset firewall ipv4 name WAN-IN rule 1 state invalidset firewall ipv4 name WAN-IN rule 1 description "Drop invalid packets"
# Drop fragments (often used in attacks)set firewall ipv4 name WAN-IN rule 2 action dropset firewall ipv4 name WAN-IN rule 2 fragment match-fragset firewall ipv4 name WAN-IN rule 2 description "Drop fragments"
commitTCP Flag Validation
configure
# Drop XMAS scanset firewall ipv4 name WAN-IN rule 3 action dropset firewall ipv4 name WAN-IN rule 3 protocol tcpset firewall ipv4 name WAN-IN rule 3 tcp flags fin,psh,urgset firewall ipv4 name WAN-IN rule 3 description "Drop XMAS packets"
# Drop NULL scanset firewall ipv4 name WAN-IN rule 4 action dropset firewall ipv4 name WAN-IN rule 4 protocol tcpset firewall ipv4 name WAN-IN rule 4 tcp flags !syn,!ack,!fin,!rst,!urg,!pshset firewall ipv4 name WAN-IN rule 4 description "Drop NULL packets"
commitSource Address Validation
Block Bogons
configure
# Block RFC 1918 from WANset firewall group network-group BOGONS network 10.0.0.0/8set firewall group network-group BOGONS network 172.16.0.0/12set firewall group network-group BOGONS network 192.168.0.0/16set firewall group network-group BOGONS network 127.0.0.0/8set firewall group network-group BOGONS network 0.0.0.0/8
set firewall ipv4 name WAN-IN rule 5 action dropset firewall ipv4 name WAN-IN rule 5 source group network-group BOGONSset firewall ipv4 name WAN-IN rule 5 description "Block bogon sources"
commituRPF (Unicast Reverse Path Forwarding)
configure
# Enable strict uRPF on WAN interfaceset firewall interface eth0 in ipv4 urpf strict
# Loose mode (accepts if any route exists)set firewall interface eth0 in ipv4 urpf loose
commitTraffic Shaping (QoS)
Prioritize Legitimate Traffic
configure
# Traffic policyset traffic-policy shaper WAN-OUT bandwidth 1gbitset traffic-policy shaper WAN-OUT default bandwidth 50%set traffic-policy shaper WAN-OUT default ceiling 100%set traffic-policy shaper WAN-OUT default queue-type fair-queue
# High priority classset traffic-policy shaper WAN-OUT class 10 bandwidth 30%set traffic-policy shaper WAN-OUT class 10 ceiling 100%set traffic-policy shaper WAN-OUT class 10 match SSH ip destination port 22set traffic-policy shaper WAN-OUT class 10 match ICMP ip protocol icmp
# Apply to interfaceset interfaces ethernet eth0 traffic-policy out WAN-OUT
commitEmergency Response
Quick Blocks During Attack
# Block specific attacking IP immediatelyconfigureset firewall ipv4 name WAN-IN rule 10 action dropset firewall ipv4 name WAN-IN rule 10 source address 203.0.113.100commit
# Block attacking networkset firewall ipv4 name WAN-IN rule 11 action dropset firewall ipv4 name WAN-IN rule 11 source address 203.0.113.0/24commitBlock by Country (GeoIP)
# VyOS doesn't have native GeoIP# Use external IP lists
# Download country IP ranges# Add to firewall groupset firewall group network-group BLOCKED-COUNTRY network x.x.x.x/xx# ... many entries
set firewall ipv4 name WAN-IN rule 20 action dropset firewall ipv4 name WAN-IN rule 20 source group network-group BLOCKED-COUNTRYMonitoring During Attack
Watch Connection States
# Monitor conntrackwatch -n 1 'cat /proc/sys/net/netfilter/nf_conntrack_count'
# Show connections by sourcesudo conntrack -L | awk '{print $5}' | cut -d= -f2 | sort | uniq -c | sort -rn | head -20
# Show firewall counterswatch -n 1 'show firewall'Traffic Analysis
# Monitor interface trafficwatch -n 1 'show interfaces ethernet eth0'
# Capture attack trafficsudo tcpdump -i eth0 -c 1000 -w /tmp/attack.pcap
# Quick packet rate estimatetimeout 10 tcpdump -i eth0 -c 10000 2>&1 | tail -1What To Do When Overwhelmed
1. Contact Upstream Provider
# Your ISP can:# - Apply upstream ACLs# - Activate DDoS scrubbing# - Null route attacking traffic
# Have their NOC number ready!2. Enable Upstream Blackhole
# Advertise your prefix with blackhole community# Traffic dropped at ISP, saves your link
# See RTBH article for details3. Use DDoS Protection Service
Services like Cloudflare, Akamai, AWS Shield:- Route traffic through their scrubbing centers- They absorb attack, send clean traffic to you- Works for attacks much larger than your capacityBest Practices
1. Prepare Before Attack
# Have emergency playbook ready# Know your upstream NOC contact# Pre-configure blocking rules (disabled)# Monitor baseline traffic patterns2. Layer Your Defense
Layer 1: Upstream ISP (volumetric)Layer 2: Edge router (smaller attacks)Layer 3: Application firewall (app-layer)Layer 4: Application hardening3. Automate Response
# Script to block high-traffic sources#!/bin/bashTHRESHOLD=1000 # connectionsfor ip in $(sudo conntrack -L | awk '{print $5}' | cut -d= -f2 | sort | uniq -c | awk -v t=$THRESHOLD '$1 > t {print $2}'); do echo "Blocking $ip" # Add firewall ruledoneThe Lesson
Edge mitigation buys time. It’s not a complete solution.
What edge routers can do:
- Rate limit connections
- Drop invalid traffic
- Block known attackers
- Protect specific services
What edge routers can’t do:
- Stop attacks larger than your pipe
- Replace upstream scrubbing
- Handle sophisticated multi-vector attacks
Build defense in depth:
- Upstream DDoS protection for volumetric
- Edge rate limiting for application-layer
- Application hardening for everything else
The edge router is one layer. Make it effective, but don’t rely on it alone.