As of 2025, Next-Generation Firewalls (NGFWs) are a non-negotiable component of enterprise security, providing essential Layer 7 threat prevention. However, a critical question for architects is how these complex, stateful devices perform under the brute-force pressure of a volumetric Distributed Denial of Service (DDoS) attack. This Tremhost Labs report investigates this scenario through a controlled stress test.
Our findings are conclusive: under a sustained 10 Gbps DDoS attack, the throughput of legitimate traffic on a mid-range enterprise NGFW dropped by over 85%, while latency for user requests increased by more than 1,500%. The device’s CPU quickly hit 99% utilization, causing its advanced threat inspection capabilities to become unstable.
The key insight for decision-makers is that while NGFWs are vital for inspecting traffic, they are not designed to be a frontline defense against volumetric DDoS attacks. In fact, their own stateful architecture becomes a bottleneck and a point of failure. The only viable strategy is a layered defense where the NGFW is shielded by a dedicated, upstream DDoS mitigation service.
Background
The modern security landscape presents two distinct challenges: sophisticated, application-layer attacks (like SQL injection or malware) and massive, brute-force volumetric attacks (like UDP floods). NGFWs were designed primarily to solve the first challenge through deep packet inspection (DPI), intrusion prevention systems (IPS), and application awareness.
This report tests the inherent conflict between that deep inspection design and the overwhelming nature of a volumetric DDoS attack. For businesses in developing digital economies like Zimbabwe, where a single on-premise firewall often represents a significant security investment, understanding its breaking point is critical for ensuring business continuity.
Methodology
This benchmark was conducted in a controlled lab environment within Tremhost’s infrastructure to simulate a realistic attack scenario.
- Test Subject: A leading mid-range enterprise NGFW virtual appliance, configured with 8 vCPUs and 32 GB of RAM. The appliance is rated by its vendor for up to 10 Gbps of threat prevention throughput. All advanced features (Application ID, IPS, Anti-Malware) were enabled, mirroring a typical production deployment.
- Test Environment: A virtualized network with three components:
- An Attack Traffic Generator simulating a 10 Gbps UDP flood, a common DDoS vector.
- A Legitimate Traffic Generator simulating 10,000 users accessing web applications and APIs behind the firewall.
- A Protected Server Farm hosting the applications.
- Test Scenarios:
- Baseline Scenario: Only legitimate traffic was sent through the NGFW to measure its maximum “goodput” and baseline latency.
- DDoS Scenario: The legitimate traffic ran concurrently with the sustained 10 Gbps DDoS attack.
- Key Metrics:
- Goodput: The volume of legitimate traffic successfully transiting the firewall.
- NGFW CPU Load: The CPU utilization of the firewall appliance itself.
- HTTP Latency: The round-trip time for a legitimate user to get a response from a web server.
- Feature Stability: Whether Layer 7 inspection features remained operational during the test.
Results
The performance degradation of the NGFW under the DDoS attack was immediate and severe.
| Metric | Baseline (No Attack) | Under 10 Gbps DDoS Attack | Performance Degradation |
| Legitimate Throughput (Goodput) | 7.8 Gbps | 1.1 Gbps | -85.9% |
| NGFW CPU Load | 35% | 99% (Sustained) | +182% |
| HTTP Request Latency | 25 ms | 410 ms | +1540% |
| Stateful Connections Dropped | 0 | > 50,000 per minute | N/A |
| Layer 7 Threat Prevention | Fully Operational | Intermittent Failure | Unstable |
Analysis
The data reveals why NGFWs are fundamentally unsuited to be a primary DDoS defense. The core issue is stateful exhaustion.
An NGFW is a stateful device, meaning it allocates a small amount of memory and CPU to track every single connection that passes through it. A volumetric DDoS attack, which consists of millions of packets per second from thousands of spoofed IP addresses, overwhelms this capability. The firewall’s state table fills up instantly, and its CPU usage skyrockets as it futilely tries to process a flood of meaningless packets.
As the CPU hits 99%, the device has no remaining cycles to perform its valuable, processor-intensive tasks—like deep packet inspection and signature matching—on the legitimate traffic. Consequently, goodput collapses, latency for real users skyrockets, and the advanced security features themselves begin to fail. The NGFW, in its attempt to inspect everything, becomes the very bottleneck that brings the network down. It is trying to apply a complex, surgical tool to a problem that requires a simple, massive shield.
Actionable Insights & Architectural Recommendations
- Define the NGFW’s Role Correctly: An NGFW is an application-layer guardian, not a volumetric shield. Its purpose is to sit in the path of clean, legitimate traffic and inspect it for sophisticated threats. It should be the last line of defense for your servers, not the first line of defense for your network edge.
- Implement a Layered, Defense-in-Depth Architecture: The only effective strategy is to place a dedicated DDoS mitigation solution in front of your NGFW.
- Layer 1: Cloud/Upstream Scrubbing: Employ a cloud-based DDoS mitigation service (e.g., from providers like Cloudflare, Akamai, or your upstream transit provider). These services have massive global networks designed to absorb and filter volumetric attacks before they ever reach your infrastructure.
- Layer 2: On-Premise NGFW: Your firewall sits behind this scrubbing service. It receives a clean feed of pre-filtered traffic and can dedicate its resources to its core competency: finding and blocking advanced threats.
- Regional Context for Zimbabwe: For businesses operating with critical but finite international bandwidth, this layered approach is even more vital. Relying solely on an on-premise firewall to stop a DDoS attack means the attack traffic will saturate your internet links long before the firewall itself fails. Using a cloud scrubbing service with Points of Presence (PoPs) in South Africa or Europe moves the fight off your infrastructure and preserves your local bandwidth for legitimate business operations.
In conclusion, this Tremhost Labs report confirms a critical architectural principle: Do not ask your NGFW to do a job it was not designed for. Protect your investment in advanced threat prevention by ensuring it is never exposed directly to the brute force of a volumetric DDoS attack.
