What's new

FORTINET FORTIGATE 100A vs Cisco Rv320

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Manciu

New Around Here
Hello all can u tell me witch one is better against ddos atacks or any other atacks , i wana host a muonline server , wow server ''' so i be better protected i hope from flood atacks .

Ive never use any of this products so any advice i will appreciate
 
neither is better though the cisco would have better features.

Even ASUS has already reached cisco low end in features but they both differ in focus.

Im not sure about the fortinet though, i would suggest checking the hardware and what the firmware is based on.

The best way to protect against DDoS is with a configurable router as you can than limit the rate and also drop extras or even redirect. However regardless of any router you wont be able to protect your wow server from DDoS and although configurable like cisco IOS/mikrotik/linux server can help they are not foolproof in protecting a service. So your game server would need the firewall for it.
 
The fortigate 100A has been discontinued for almost 10 years.
Specs are 100mb/s throughput and between 20-70mb/s with services turned on.
Max connections is 4k/s
The only spec on it thats decent is the max simultaneous connections at 200k . . . but that's just due to the amount of RAM in the unit, not the CPU.

The RV320 just due to being a supported device gets my vote.
 
so i cant protect or maybe stop ddos atack ? ofc i hnow big big ddos atacks nobody can stop but still RV320 cant stop maybe medium atacks ? i dint belive people will get all over me to atack me that strong
 
The fortigate 100A has been discontinued for almost 10 years.
Specs are 100mb/s throughput and between 20-70mb/s with services turned on.
Max connections is 4k/s
The only spec on it thats decent is the max simultaneous connections at 200k . . . but that's just due to the amount of RAM in the unit, not the CPU.

The RV320 just due to being a supported device gets my vote.

Probably none 0f the above - someone points a DDOS Ion Cannon at a server, esp one hosted from a home end-point - the best that one can hope for is to keep things up and running, and weather the storm...
 
A decent UTM firewall should be able to stop DDOS attacks if the attack does not saturate your internet connection. If the DDOS attack is large enough to saturate your internet connection, then it needs to be stopped before it gets to you. There are proxy type services you can use to run your internet through that have very large internet bandwidth and the hardware to take care of DDOS attacks in many instances.
 
A decent UTM firewall should be able to stop DDOS attacks if the attack does not saturate your internet connection. If the DDOS attack is large enough to saturate your internet connection, then it needs to be stopped before it gets to you. There are proxy type services you can use to run your internet through that have very large internet bandwidth and the hardware to take care of DDOS attacks in many instances.
The issue wont be with stopping DDoS to the router but to the server. DDoS mitigation can help but the main target would be his server and that is something he cant redirect normally not unless you implement script to add the offending address to the router's list to redirect but it still doesnt solve DDoS entirely. The game server service itself could be vulnerable and there wouldnt be much you could do about it.

If you're using NAT than a configurable router can be used to stop DDoS to the router itself and perform some filtering for your server.
You than need to use firewall on the server itself for DDoS protection and configuring the service. Automated blacklist is also very important.

If you look at my example firewall rules for mikrotik it does actually has some DDoS protection if they use TCP, an automated blacklist against hack attempts and mikrotik uses API so you could update blacklist to have the router drop on the forwarding chain. The setup will work with other configurable routers.

For non TCP DDoS protection you will need sufficient internet to handle it. They could still fill up your download with useless packets but will fill up your internet. Having multiple WAN links can help and you would than need to do some manual load balancing so you could have 1 connection to initiate things and than redirect the connection to the other WAN. Its what cloud host providers do the domain goes to their redirection server that redirects if it is not an attack.

DDoS protection is tricky and there isnt a 100% solution but you can protect against most form of attacks. A UTM cant do much to protect the server because it can only see a connection that is valid or not but not for the hosted service. What a UTM does give is more protection against other things. However none of the routers you asked will do the job, you need something configurable like a full UTM, linux server, pfsense, mikrotik, cisco IOS, higher end juniper. When protecting against DDoS you need more hardware resources than your attackers so choose something with lots of CPU and RAM. Multiple internet connections can help too.
 
So what do i have to buy now ? btw i have fiberlink and if i go Bussines they will give me more ip if that will help ..
  • download 1000 Mbps
  • upload 200 Mbps
  • upload lan 200 Mbps
  • PPPoE

I need to buy someting cheap , i cant spend thousands of dollars , maybe someone can help me here u guys have more experience

Thanks
 
Mikrotik CCR1009 is a very good routers but they require skill to configure.
Ubiquiti edgerouter 8/pro
x86 based solutions such as pfsense, a linux/unix server such as making your own BSD firewall or UTMs

For x86 you want a fast processor so avoid the cut down or lower power ones like intel atoms. The naming schemes have changed but you want a processor that is intel's main architecture rather than their small variants. This gives you a lot more CPU power even for an i3 to handle your internet and DoS attacks. Intel server NICs with the computer is also important and you can go for 2nd hand NICs. For AMD equivalent at least a phenom ii or even bulldozer architecture but you still need to use an intel NIC.

For that speed not many embedded UTMs or firewalls in the lower price point can handle that speed. The mikrotik CCR1009 is way faster than the ubiquiti edgerouter and you have more flexibility. Its plenty fast so you can go nuts with rules and filtering while still getting your WAN speed just like with a good x86 computer. However both the ubiquiti and x86 methods can have other software installed but even though the edgerouter will run other things like squid proxy it doesnt do so at your WAN speeds. With x86 you can install extra software like clamav for anti virus and lots of other things to get a complete solution but it is more work starting out with a linux/unix server and getting everyting installed and configured.
 
The issue wont be with stopping DDoS to the router but to the server. DDoS mitigation can help but the main target would be his server and that is something he cant redirect normally not unless you implement script to add the offending address to the router's list to redirect but it still doesnt solve DDoS entirely. The game server service itself could be vulnerable and there wouldnt be much you could do about it.

Not sure what you mean by this. That is exactly what a good UTM does. A regular firewall, I agree, will be limited with what it can stop to the host computer. A UTM that has IDS/IPS should be able to stop most DDOS attacks to anything internal to the firewall. Both the Cisco ASA we have at work and my Untangle box at home can stop most DDOS attacks directed at anything behind the firewall.

OP, as far as complexity, it helps if you know a little something about routers and networks. Out of the box many UTM's don't have some (or many in Untangle's case) of their signatures and rules turned on in the IPS module because they don't want to block too much. They often need adjusting once you put them into production and have then running for a bit.
You will definitely need some processing power with the speed of internet line you (OP) have. Personally I would get my own hardware and load a Firewall/UTM software on it. That would be the least expensive way to get a robust firewall. For example you can purchase this with a small hard drive like this, and have a powerful hardware platform for a firewall, for less than $275. Then add UTM software of your choice, or firewall software with decent IDS/IPS protection.
Why this still cannot guarantee 100% blockage of DDOS attacks, most can be blocked. For example Untangle has 167 rules specifically for DOS attacks. There may be an attack that does not fit one of those rules but most attacks would fit in one of those rules and Untangle would take action to stop it.
If you don't want to have to put in an advanced UTM or IPS/IDS firewall, then there are services that can stop DDOS for you. You proxy through them. One such service is Cloudflare. They have some pricing on their website, but they also provide specific services, like DDOS protection that you would need to contact them to get a price.
 
Last edited:
I have this server

http://olx.ro/oferta/dell-poweredge-2900-ii-vand-schimb-ID5qms0.html

A friend told me to buy a Cisco router cuz they come whit firewall for protection , so i understand u cant stop 100% DDOS atacks , but still there have to be someting cheap to buy lest say 200$ max , i dont wana buy someting to pay per month ..

Ive used CloudFlare , OVH but i quit on them cuz its to expencive to pay per month , that is why i search someting buy one time or free producs thay some use and say may work not perfect but work , my internet providers told me they cand give me protection only the one they have it for free but that is weak so weak

Btw ive found Cisco ASA5505-BUN-K9 Brand New for 100 Euro but .. have no warranty
 
Last edited:
A friend told me to buy a Cisco router cuz they come whit firewall for protection , so i understand u cant stop 100% DDOS atacks , but still there have to be someting cheap to buy lest say 200$ max , i dont wana buy someting to pay per month ..

Ive used CloudFlare , OVH but i quit on them cuz its to expencive to pay per month , that is why i search someting buy one time or free producs thay some use and say may work not perfect but work , my internet providers told me they cand give me protection only the one they have it for free but that is weak so weak

I think you're missing the entire point of the thread...

Can't stop a DDOS attack - that takes action on the person/group initiating it - best that one can hope for is to again, weather the storm and try to mitigate the damage...

DDOS generally works thru saturation and resource starvation - in other words, sending a shedload of packets to blow things up (crashing daemons or causing them to do nothing but service those packets) or sending enough traffic down the pipe that nothing else can get thru upstream or downstream.

And it really doesn't matter what router/architecture you have - so MicroTik/EdgeRouters/pfSense, or any consumer-land Router/AP - it's not going to stop it... the higher end prosumer devices (uTik/ERL/PFS) will likely stay online, consumer stuff will likely fail over and die depending on how bad the attack is.

I've been there/done that with a concentrated DDOS attack - survived it, but this was on a 12*10GB link against 12 SMTP servers, and there, it still impacted two carrier/enterprise routers, and 12 1U 2-Socket (24 cores per server) Xeons.

If one can change to a new IP for the end-point under attack - that can help... HA proxy's can also help, but that's probably out of scope for the SNB community
 
I agree that if DDOS attackers are good enough there is no stopping it. You will not have a big enough pipe. Buy the Cisco RV320 router since it is currently supported. It will provide you some protection with current updates for the firmware.
 
the good firewalls can stop TCP based DDoS very easily using tarpit and it really works. I have been DDoSed by a advertisement botnet once on http and tarpit really did solve it using mikrotik. My ISP being as it is makes it very difficult to secure any servers (and the server not following configs - buggy). Linux has the option of tarpit as well but im not sure ubiquiti has as any TCP based connection can be slowed with tarpit. for other non TCP based attacks a UTM could help.

Go with a linux server/UTM distro and get it configured properly, it will help in most cases. Cisco RV wont keep up with your connection and doesnt offer the protection you need, its mainly meant for small groups who arent hosting public servers so if you're like every other home or business in which they dont need public server and have everything behind NAT than theres where the cisco RV is meant to be used. It is cisco's worse product and i would never recommend it to anyone also because it doesnt offer any of the features that cisco IOS does (it doesnt run cisco IOS). Sure using a linux server or full UTM requires more skill and effort to configure but its actually cheaper and faster than using a cisco RV. When people buy cisco they expect quality so when they see cisco RV they think it offers cisco's quality that their high end products running cisco IOS have when they dont. If you want to go with a cisco RV why not look at linksys as they're virtually the same product type and company.

I've seen many SSH ports open to the net, sure SSH is secure and if you use certs people cant hack in and you could login remotely but what an exposed SSH does is allow a DDoS as even with the limit of 3 logins if 1000 machines try at the same time it will use much much more CPU that a cisco RV or any consumer router will crash/hang because they lack the CPU power needed to even handle it so even if it is a good router that wont crash all the resource would be used that the network comes to a standstill. If you are hosting a public server you would need to learn the skills not only for setting up and managing the public server but your network as well. Dont go with the non configurable options like the cisco RV and all the cisco RV series have slow CPUs even slower than the edgerouters despite being the same hardware platform. The cisco RV has DoS protection like any other consumer router now but not DDoS. My criticism of the cisco RV isnt just the slower CPU and unstable platform/firmware but also because it doesnt offer any advantage over a consumer router and even ASUS has surpassed the cisco RV.

Im sure your friend meant higher end cisco because the low end like the cisco RV has the same amount of protection as a consumer router or he probably doesnt understand networking properly.
 
the good firewalls can stop TCP based DDoS very easily using tarpit and it really works. I have been DDoSed by a advertisement botnet once on http and tarpit really did solve it using mikrotik.

When I got blasted by the DDOS botnet, it was total bandwidth saturation for days on end - think it as being on the wrong end of a fullforce firehose... we ended up standing up new temp servers at a colo site until the deluge stopped..
 
The cisco RV has DoS protection like any other consumer router now but not DDoS. My criticism of the cisco RV isnt just the slower CPU and unstable platform/firmware but also because it doesnt offer any advantage over a consumer router and even ASUS has surpassed the cisco RV.
Im sure your friend meant higher end cisco because the low end like the cisco RV has the same amount of protection as a consumer router or he probably doesnt understand networking properly.

I think Cisco cares more about security than ASUS does even in their RV series. Cisco has a lot more networking experience behind them than ASUS does. Cisco may not write the code for the RV series but they set the requirements for the contracts and the goals which need to be met. I am sure Cisco has better testing methods considering the high level networking gear they produce. I also am sure there is a fine with what the RV series is allow to do to keep from encroaching on their high end gear which they make more money on.

I don't think a tar pit will save you if the DDOS attack exceeds your bandwidth.
 
Last edited:
tarpit helps if the attack is tcp based and one of the characteristics about it is that it slows the attack where nothing gets transmitted and frees up bandwidth by using up the attackers resources.
 
I don't doubt it will help. It's just you have no control over your download bandwidth. Once your download bandwidth fills you will have a very hard time getting anything through.
 
tarpit helps if the attack is tcp based and one of the characteristics about it is that it slows the attack where nothing gets transmitted and frees up bandwidth by using up the attackers resources.

For that very reason, many DDOS attacks are UDP, hence freeing up the attackers to put even more resources on the targets downstream leg...
 
For that very reason, many DDOS attacks are UDP, hence freeing up the attackers to put even more resources on the targets downstream leg...
In terms of resource, UDP uses a lot less processing power and less bandwidth than TCP. A few simple tricks could help but its not entirely reliant on 1 device. Multiple WANs, redirections, switch level blocking (requires the ISP/host to provide this), changing a few IP settings.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top