Firewalls and other stateful devices such as VPN gateways, IDPS and load balancers are susceptible to DDoS attacks. According to Netscout's Threat Intelligence Report, 83% of survey respondents indicated that their firewalls attributed to network and services outages and/or crashed during a DDoS attack. Why? Because they were never designed to stop DDoS attacks – in particular, TCP state exhaustion DDoS attacks. Industry best practices recommend that you deploy stateless DDoS protection in front of the firewall to protect it, other stateful devices, and services behind them from going down.
Click to enlarge image