Firewalls and other stateful devices such as VPN gateways, IDPS and load balancers are susceptible to DDoS attacks. According to NETSCOUT's Threat Intelligence Report, 83% of survey respondents indicated that network and service outages and/or crashes were attributed to their firewalls to during a DDoS attack. Why? Because they were never designed to stop DDoS attacks – in particular, TCP state exhaustion DDoS attacks. Industry best practices recommend that you deploy stateless DDoS protection in front of the firewall to protect it, other stateful devices, and services behind them from going down.
Click to enlarge image