Firewalls Make DDoS Attacks Worse

jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."

Bad headline, too vague

[Mr_eX9]

The article says that poorly deployed firewalls and IPS systems create a single point of failure.

Re:Arbor Networks

[icebike]

Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).

Nothing to see here.

Nothing you can afford can handle a "Big DDOS attack".

No need to pick nits about how it is managed or configured.

Re:Translation

[toejam13]

I believe that an underspec'd firewall is most likely what they are referring to. Many people purchase firewalls based off of their raw bandwidth capacity. If you have an OC-12 ATM uplink to your ISP, basic logic used to suggest that you made sure that your firewall has at least an OC-12 or GigE port on the untrusted side.

But how many TCP SYN init packets can it parse per second? How many TCP connections can it handle before it runs out of memory? Does it treat embryonic connections different from a reaping standpoint than established connections? How many HTTP commands can it parse per second? All of a sudden, you have a lot more to worry about than bps throughput. You need to know the peak numbers of each in case you get slapped with a DoS attack.

Suddenly, that inexpensive 1Gbps firewall may not be enough. You might need to get a higher-end model, or you might need to bring in a Citrix or F5 load-balancer and spread the load.