Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewalls Make DDoS Attacks Worse

Posted by ryuzaki0 on from the it-burns-me dept.

jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."

9 of 217 comments (clear)

  1. Long on Rhetoric by hduff · · Score: 5, Insightful

    Short on specifics.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Long on Rhetoric by Svartalf · · Score: 5, Insightful

      Looks like it. Single point of failure in a DDoS? If they choke your inbound pipe (the very definition of a DDoS...) having it on a DMZ or unprotected will not help prevent things from crushing your connectivitiy. In many cases, the Firewall can actually handle higher transaction traffic than the webserver can. If you're doing a load-balanced setup, he might be right, but that's not the premise he apparenly lead with.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    2. Re:Long on Rhetoric by Anonymous Coward · · Score: 0, Insightful

      So basically what you're saying is that you have not the slightest clue how the internet, firewalls or networks in general work. And you seem to think that a port is somehow a physical thing.

    3. Re:Long on Rhetoric by passthecrackpipe · · Score: 3, Insightful

      In a surprise revelation, a vendor of anti-DDOS equipment claimed that everybody else is doing it wrong, and leaves several subtle hints that their own equipment and services are the only true defence against a concerted DDOS attack. In a further shocking comment, the article disclosed that almost everybody else is constantly under some form of DDOS attack, hinting that you might be next. As a final nail in the coffin of your amateurish "Network Security" the experts reveal that there is nothing you can do - the better you protect your systems, and the more traffic your current systems will be designed to handle, the more aggressive attackers will become.

      --
      People who think they know everything are a great annoyance to those of us who do.
  2. Arbor Networks by Anonymous Coward · · Score: 5, Insightful

    Arbor Networks, the people who did this "study", sell DDoS solutions. Of course they're going to say that anything you do other than pay them to provide your solution is a bad idea.

    Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).

    Nothing to see here.

  3. We're not always programmed... by Anonymous Coward · · Score: 4, Insightful

    We're forced to deploy "legacy" network firewalls by standards (such as the PCI DSS) or regulations (such as MA 201CMR1700). If you are confronted with an auditor without imagination your compensating controls are misunderstood and findings ensue.

  4. Would you rather by D3 · · Score: 5, Insightful

    be taken offline by a DDOS or have your web server compromised by an exploit that has unfettered access to it? A DDOS will only cost me revenue while I'm not available. Having my server hacked will cost me downtime AND recovery costs. A real security person would take a risk based approach. In this case, the risk to other damages (i.e. server compromise, theft of credit cards, loss of customer confidence) is much higher than the risk of being down due to DDOS. I think Arbor are now making it onto my list of companies to avoid.

    --
    Do really dense people warp space more than others?
  5. Flawed logic by Smallpond · · Score: 4, Insightful

    Also don't build taller walls, because it just encourages attackers to bring taller ladders.

  6. Re:Bad headline, too vague by RobertM1968 · · Score: 5, Insightful

    The article says that poorly deployed firewalls and IPS systems create a single point of failure.

    So do poorly deployed network cables, or poorly deployed almost anything that hosts rely on to handle all their traffic (power solutions, switches, etc). By the definition of what a firewall is supposed to accomplish, a poorly deployed one obviously creates a lot of problems or provides little protection.

    Also, water is wet.

    --
    StarTrekPhase2 - The Five Year Mission Continues!