101 · Question #462
Data centers often rely on either traditional firewalls or next generation firewalls. Select the core weakness of the traditional or next generation firewalls when it comes to DDoS attacks.
The correct answer is A. They are limited in amount of connections per second and the amount of sustained connections. Both traditional and next-generation firewalls are stateful devices that maintain a connection table, which makes them susceptible to resource exhaustion under DDoS attack volumes. Their fundamental architectural limit is the finite number of connections per second they can estab
Question
Data centers often rely on either traditional firewalls or next generation firewalls. Select the core weakness of the traditional or next generation firewalls when it comes to DDoS attacks.
Options
- AThey are limited in amount of connections per second and the amount of sustained connections
- BThe cost performance ratio of next generation firewalls is too high.
- CThe agility of traditional firewalls is too limited when it comes to DDoS attacks.
- DData center traffic is primarily outbound.
How the community answered
(28 responses)- A86% (24)
- B4% (1)
- C4% (1)
- D7% (2)
Why each option
Both traditional and next-generation firewalls are stateful devices that maintain a connection table, which makes them susceptible to resource exhaustion under DDoS attack volumes. Their fundamental architectural limit is the finite number of connections per second they can establish and the total concurrent connections they can sustain.
Firewalls - whether traditional or next-generation - must track every TCP/UDP connection in a state table. A DDoS attack such as a SYN flood or connection flood can exhaust the finite connections-per-second processing rate and the maximum concurrent session capacity, causing the firewall itself to become the bottleneck or failure point rather than protecting downstream resources.
Cost-performance ratio is a procurement consideration and not a technical weakness related to how firewalls handle DDoS traffic volumes.
Describing traditional firewalls as lacking 'agility' is too vague and does not identify the specific technical mechanism by which DDoS attacks overwhelm firewall resources.
Data center traffic is not primarily outbound; DDoS attacks exploit inbound traffic, and this statement does not describe a firewall architectural weakness.
Concept tested: Firewall stateful connection table DDoS vulnerability
Source: https://www.f5.com/solutions/use-cases/ddos-protection
Topics
Community Discussion
No community discussion yet for this question.