Anti DDOS - Firewall Advanced Settings

[opnsenseuser]

1. What is the difference between the 3 setting options of Anti DDOS?
2. Can someone explain when it makes sense to activate Anti DDOS or what should be considered when activating it?
3. Is there a documentary about it?
4. Is there a log?

thx

[xpendable]

As far as I know it's all based around the usage of the state table, if there is a DDOS attack your state table would start to fill up with waiting connections. See this previous link with some explanation to each setting: https://forum.opnsense.org/index.php?topic=28579.0

I have mine set to adaptive with the default values, FYI I noticed a while back if you set syncookies to always that the zenarmor console would fail to load. I reported that to the zenarmor team but don't know if they ever created a work around for that issue.

[Supermule]

Problem is that it doesnt help with DDoS.

You can easily make a L7 Denial of Service without the state table filling up in the FW.

[opnsenseuser]

Thank you both for the information.
I don't think I use it. Seems to be more of a problem, at least in terms of compatibility and performance and purpose, than useful.

[Supermule]

Suricata detects DDoS as well and can handle them quite well running inline.

Issue with that is that the logs cant be written fast enough and it kills the FW quite fast.

Disable Suricata and it can handle DDoS quite well or disable logging written to the FW log.