Question about how to define network equipments


I have seen a discussion about DDoS Mitigation in this list.

Someone reference Juniper SRX equipments like good equipments to prevent
DDoS attacks.

Like Juniper SRX, other players like fortinet has some hardware based (
FORTIGATE) Appliances to provide great throughput, ddos mitigation, UTM
Features, etc. Ex. Recent Fortigate 1240B

My question about this products is related to a combination of
performance parameters that I really does not understand.

Lets use Juniper SRX as an example:

Juniper SRX has (from Juniper's web site):

Firewall performance (max)
1.5 Gbps

Maximum concurrent sessions
64 K (512 MB DRAM) / 128 K (1 GB DRAM)

New sessions/second (sustained, TCP, 3-way)

Lets suppose that we have a client with 100 Mbps total full duplex
throughput in a SRX-240 interfaces.

If this client has 6000 users ... how is possible to combine:

1.5 Gbps (100 Mbps) x 128K sessions x 9000 new sessions/second

Supposing 5000 users x 100 sessions per user ... the box will not
support it , right ?

How is the correct way to calculate with accuracy this ?

Every player looks like to have a way to calculate it. Every player said
something about sessions.

What is the correct parameter about sessions ?

How many sessions per second a normal user (FTP, E-mail, HTTP, SSL, SSH,
Telnet) can generate ?

Why the number 9000 new sessions/second is important ?

How can I sum to all of this 3 parameters ... the DDoS mitigation ?

How much performance I will consume, under a DDoS attack ?

It is possible to measure it ?

Thanks a lot,


I know you can measure the actual performance if you use Ixia hardware. We
have used Ixia to find the limitations of hardware before putting it in