Slashdot Mirror
Firewalls Make DDoS Attacks Worse
jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."
The article says that poorly deployed firewalls and IPS systems create a single point of failure.
Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).
Nothing to see here.
Nothing you can afford can handle a "Big DDOS attack".
No need to pick nits about how it is managed or configured.
Sig Battery depleted. Reverting to safe mode.
What's lacking here is a really good idea to cope with DDOS attacks. D.J. Bernstein, whose technical expertise cannot be doubted as much as his sanity can, suggested simply replying with an 'ack' in a dos attack. Effectively you have some daemon there who realizes "We can't handle this" and says "Plan B: just send an ack and forget it" As you work through the backlog of requests, sanity can be restored, and people can then access until plan B is needed again. It is temporarily conceding DOS, But if you don't, the system will go under. It's like the lines from 'Slattery's Mounted Fut' (by Percy French) You prefer the soldier's maxim when desisting from the strife, Best be a coward for 5 minutes than a dead man all your life!
I believe that an underspec'd firewall is most likely what they are referring to. Many people purchase firewalls based off of their raw bandwidth capacity. If you have an OC-12 ATM uplink to your ISP, basic logic used to suggest that you made sure that your firewall has at least an OC-12 or GigE port on the untrusted side.
But how many TCP SYN init packets can it parse per second? How many TCP connections can it handle before it runs out of memory? Does it treat embryonic connections different from a reaping standpoint than established connections? How many HTTP commands can it parse per second? All of a sudden, you have a lot more to worry about than bps throughput. You need to know the peak numbers of each in case you get slapped with a DoS attack.
Suddenly, that inexpensive 1Gbps firewall may not be enough. You might need to get a higher-end model, or you might need to bring in a Citrix or F5 load-balancer and spread the load.
I remember back in the day firewalls were about *logging* more than they were about security.
I guess I have trouble understanding the point of firewalls for public facing systems. If you can't configure the server to only expose the required services to the public a firewall is great but nowadays there really is no credible reason such configuration is not possible either directly in the server configuration file or with local firewalling rules.
IDS and various layer n scanning and proxy filters and the operating systems they run on top of are not immune to attack themselves. There have been a number of attacks specifically targeting IDS systems. By deploying unecessary systems you are growing additional branches on your systems threat tree.
At the end of the day the *application* you expose has to stand on its own. Systems without a brain don't have the capability to meaningfully understand higher layer interactions. A firewall will happily forward all non-cheesy app layer attack vectors. The only thing you gain is independant logging!! If you compromise a host you can compromise its logs but if there is a middle box doing the logging it is isolated from compromise.
For example many systems advertise protection against injection attack however nothing but the app can block an injection attack with 100% coverage and no false alarms (which can have adverse effects on legitimate use of a system) By definition there is no informational basis to obtain such knowledge.
The kicker is few seem to care much about their firewall logs these days..They keep them but don't really spend any time and energy reviewing them. All PPL are doing is checking the firewall box on their security checklists and moving on.
In my view the act of thinking that one is safe because they use a firewall is worse than not having a firewall.
Unless you have actually operated a massive web server farm and been involved in mitigating large DDOS attacks, please don't try and speak authoritively.
For very large server networks ( multiple 10GE pipes feeding in etc. ) any firewall that you can buy will fail under attack way before the pipes will fill up. A web server farm with no stateful firewall is better equipped to deal with a flood of new transactions than a stateful firewall can process a new connection, add the state entry in the connection table and then match each packet against the table.
DDOS attacks will often attack the state table in the firewall, by filling it with useless connections and thereby making it match every packet against a huge list of nonsense, every step that a firewall vendor takes to try and mitigate these attacks actually make the DDOS more successful. Most firewalls can be rendered useless with only a few thousand packets per second on an ongoing basis.
Large web server farms will have static non-stateful ACLs in hardware on a switch or router which filter most of the rubbish out, but the web server is on it's own as far as dealing with SYN floods and half set up connections etc.