Firewalls Make DDoS Attacks Worse

jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."

Long on Rhetoric

[hduff]

Short on specifics.

Re:Long on Rhetoric

[suso]

Exactly, there is no hard evidence that would convince anyone technical in that article. Waste.

Re:Long on Rhetoric

[Suki+I]

Short on specifics.

So I did not miss anything by not RTFA?

Re:Long on Rhetoric

[Svartalf]

Looks like it. Single point of failure in a DDoS? If they choke your inbound pipe (the very definition of a DDoS...) having it on a DMZ or unprotected will not help prevent things from crushing your connectivitiy. In many cases, the Firewall can actually handle higher transaction traffic than the webserver can. If you're doing a load-balanced setup, he might be right, but that's not the premise he apparenly lead with.

Re:Long on Rhetoric

[Lumpy]

Short of specifics and common sense.

I dont care how you set it up, even if you set your webserver on another network you STILL firewall it. I think the article writer does not know what a firewall is.

I'm betting he is a CIO that thinks a firewall is a red box from Watchguard they pay too much for to get little in return (pfsense in a cheapie 1u dell server is better than ANY product they sell at Watchguard.)

Re:Long on Rhetoric

[petermgreen]

So if ports 80 and 443 have less than 100% of the allocation, the firewall should pass the other ports on the remainder allocation without a hiccup.

A traffic shaper/firewall can only prioritise packets it sees. It can't do anything about packets that were already lost before they reached it.

In a typical setup you would have an external link coming in to your traffic shaper. In order for the traffic shaper to effectively shape incoming traffic it must be the bottleneck, You acheive that by deliberately setting the bandwidth out o your traffic shaper marginally lower than the bandwidth of the incoming link. You waste a little bandwidth that way but it's worth it to be able to control the prioritisation. However that only works IF those sending you traffic are playing nice (by playing nice I mean using protocols like TCP that backoff when they see congestion). If your ISP receives traffic for you at say 10 times the rate of your link and the senders don't back off then your ISP will have to drop nine tenths of it. The only way to fight such an attack is from the ISP side either by buying a bigger link or by getting the ISP to filter/shape the traffic before it hits the bottleneck. Your traffic shaper/firewall is powerless because nine tenths of your legitimate traffic is gone before it hits your shaper/firewall..

Re:Long on Rhetoric

[passthecrackpipe]

In a surprise revelation, a vendor of anti-DDOS equipment claimed that everybody else is doing it wrong, and leaves several subtle hints that their own equipment and services are the only true defence against a concerted DDOS attack. In a further shocking comment, the article disclosed that almost everybody else is constantly under some form of DDOS attack, hinting that you might be next. As a final nail in the coffin of your amateurish "Network Security" the experts reveal that there is nothing you can do - the better you protect your systems, and the more traffic your current systems will be designed to handle, the more aggressive attackers will become.

Re:Long on Rhetoric

[Vancorps]

I'm a little curious what enterprise level firewalls you've dealt with if you're saying that firewalls are built on low end hardware. I know the E-Class Sonicwalls can handle a million simultaneous connections individually and you can load balance them to achieve higher workloads. There is nothing low end about the hardware inside as the E6500 at least is running 16 cores which is about the same resources as a typical server these days only they are dedicated to the job at hand. The Sonicwalls at least also have many performance tuning options giving the ability to disable DPI if you're in a high traffic scenario and overwhelming hardware.

Enterprise firewalls these days are much better than even three years ago, three years ago I might have agreed with the stance of trying to make due without, but now the load balancers behind the firewall are where my bottleneck is after the pipe coming into me of course.

Bad headline, too vague

[Mr_eX9]

The article says that poorly deployed firewalls and IPS systems create a single point of failure.

Re:Bad headline, too vague

[RobertM1968]

The article says that poorly deployed firewalls and IPS systems create a single point of failure.

So do poorly deployed network cables, or poorly deployed almost anything that hosts rely on to handle all their traffic (power solutions, switches, etc). By the definition of what a firewall is supposed to accomplish, a poorly deployed one obviously creates a lot of problems or provides little protection.

Also, water is wet.

Translation

[Locke2005]

Poorly-designed firewalls make DDoS attacks worse.

FTFY

Re:Translation

[toejam13]

I believe that an underspec'd firewall is most likely what they are referring to. Many people purchase firewalls based off of their raw bandwidth capacity. If you have an OC-12 ATM uplink to your ISP, basic logic used to suggest that you made sure that your firewall has at least an OC-12 or GigE port on the untrusted side.

But how many TCP SYN init packets can it parse per second? How many TCP connections can it handle before it runs out of memory? Does it treat embryonic connections different from a reaping standpoint than established connections? How many HTTP commands can it parse per second? All of a sudden, you have a lot more to worry about than bps throughput. You need to know the peak numbers of each in case you get slapped with a DoS attack.

Suddenly, that inexpensive 1Gbps firewall may not be enough. You might need to get a higher-end model, or you might need to bring in a Citrix or F5 load-balancer and spread the load.

Re:Translation

[hardburn]

If it's limited to no higher than layer 4 stateful firewalling, then its not going to get overloaded. Assuming there's no bugs being exploited by attackers (if there is, you're probably screwed anyway), then an old Pentium could easily handle enough traffic to saturate the link.

If it's going to higher layers, then things get interesting. I'm also skeptical of the utility of doing that for public-facing web sites.

Hacker says

[bhcompy]

Hacker says that firewalls are bad, so don't use them.

What a useless article

[zn0k]

"People are deploying firewalls wrong", some company says. "We're not going to say anything other than that", some journalist adds. "Particularly we're not going to mention where and how said company thinks firewalls should be deployed. We're just going to refer to some report they published a few times, but we won't link to it". When asked what the hell kind of point they were trying to make the journalist hummed and hawed a few times before admitting that he wasn't entirely sure. "Firewalls can be bottlenecks when experiencing DDoS attacks", the company's solutions architect insisted, making a rather obvious point.

Re:What a useless article

[SnarfQuest]

Later, the journalist was heard asking a coworker, "What's a firewall? Do I also need a Fire Extinguisher if I already have a firewall?"

Arbor Networks

Arbor Networks, the people who did this "study", sell DDoS solutions. Of course they're going to say that anything you do other than pay them to provide your solution is a bad idea.

Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).

Nothing to see here.

Re:Arbor Networks

[icebike]

Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).

Nothing to see here.

Nothing you can afford can handle a "Big DDOS attack".

No need to pick nits about how it is managed or configured.

Re:Arbor Networks

[icebike]

YOU != Amazon

Re:Arbor Networks

[nine-times]

Nothing you can afford can handle a "Big DDOS attack".

And most of us don't remotely need our servers to withstand a "big DDOS attack". It's like saying, "The security in your home can't keep out a world-class catburglar." Well that's true. It's true that we can't afford that kind of security, and it's also true that we don't need that kind of security.

Your security really only needs to be able to withstand the kind of attacks that you're likely to encounter. For most of us, that's only the most casual of attacks. Many sites are more likely to be taken offline by being slashdotted than being purposefully attacked.

Re:Arbor Networks

[qw(name)]

or Mark... I just saw the Social Network :)

My condolences.

useless article

[clarkn0va]

I'm somewhere between novice and expert with firewalls on large networks, and this article says absolutely nothing that makes sense to me. The author posits that a firewall in front of a server is just a new bottleneck. Really? In what way?

General consensus on security-oriented forums seems to be that a DDOS is effective because it fills your internet pipe. If my firewall is a bottleneck, then it's either too weak for the pipe it's deployed on, or it's trying to do something stupid with packets that arrive there, and drowning as a result.

That, or this is all way over my head, in which case the author of the article has failed to reach a reasonably savvy audience.

Re:useless article

[Svartalf]

No, it's not way over your head. Your simplistic explanations of things are right on the money there. If a firewall was a chokepoint, you're doing the wrong type of filtering, you've got not enough muscle for the pipe you're serving the firewall for, or similar. It's not a "new" chokepoint for DDoSes- the goal's to choke off the pipe however you can. Putting it on the outside of a firewall's stupid for other reasons and doesn't keep the webserver from being an attack point or the pipe really being the choke point that's attacked by a DDoS. If your firewall's a problem, it's because it's not sized correctly or you've misconfigured it.

Re:useless article

Unless you have actually operated a massive web server farm and been involved in mitigating large DDOS attacks, please don't try and speak authoritively.

For very large server networks ( multiple 10GE pipes feeding in etc. ) any firewall that you can buy will fail under attack way before the pipes will fill up. A web server farm with no stateful firewall is better equipped to deal with a flood of new transactions than a stateful firewall can process a new connection, add the state entry in the connection table and then match each packet against the table.

DDOS attacks will often attack the state table in the firewall, by filling it with useless connections and thereby making it match every packet against a huge list of nonsense, every step that a firewall vendor takes to try and mitigate these attacks actually make the DDOS more successful. Most firewalls can be rendered useless with only a few thousand packets per second on an ongoing basis.

Large web server farms will have static non-stateful ACLs in hardware on a switch or router which filter most of the rubbish out, but the web server is on it's own as far as dealing with SYN floods and half set up connections etc.

Re:useless article

[DavidTC]

That's not how DDoSes work at all.

No one runs a DDoS against ports that aren't open. All DDoSes are designed to look like totally legit connections to, in this case, port 80. This is quite simply because bogus packets cannot cause a DDoS, period. The server either rejects them, or ignores them, and they have almost no effect beyond a split second of CPU.

Whereas 'legitimate' connections that show up, and the server ACKs...and then gets no response from...those tie up server resources. And, incidentally, use outgoing bandwidth also. While special hardware could, indeed, filter obviously useless packets, no one actually needs to do that, as obviously useless packet are trivially dealt with at the server.

And you are correct in that my analogy was over-simplified...in actuality, what's going is a bunch of empty clothing keeps walking up to the house. Yes, we could gate the locked doors that some people walk up to, and stop empty clothes from walking up to them, but, frankly, that clothing isn't wasting anyone's time.

The problem is all the empty clothes in the line with legitimate people, making them wait, and who the doorkeepers ask to come in, and just stand there a few seconds until the doorkeepers realize what happened and throw them in the trash.

See why I didn't use that weird analogy?

The problem isn't bogus things clogging up paths to nowhere (Which are, in fact, empty), it's bogus things clogging up actual resources, actual connections, both at the OS and program level.

We're not always programmed...

We're forced to deploy "legacy" network firewalls by standards (such as the PCI DSS) or regulations (such as MA 201CMR1700). If you are confronted with an auditor without imagination your compensating controls are misunderstood and findings ensue.

Would you rather

[D3]

be taken offline by a DDOS or have your web server compromised by an exploit that has unfettered access to it? A DDOS will only cost me revenue while I'm not available. Having my server hacked will cost me downtime AND recovery costs. A real security person would take a risk based approach. In this case, the risk to other damages (i.e. server compromise, theft of credit cards, loss of customer confidence) is much higher than the risk of being down due to DDOS. I think Arbor are now making it onto my list of companies to avoid.

Flawed logic

[Smallpond]

Also don't build taller walls, because it just encourages attackers to bring taller ladders.

Sold!

[Beelzebud]

Firewalls are a waste of time. I just disabled mine and am ready for some smoo

Best be a Coward for 5 minutes........

[business_kid]

What's lacking here is a really good idea to cope with DDOS attacks. D.J. Bernstein, whose technical expertise cannot be doubted as much as his sanity can, suggested simply replying with an 'ack' in a dos attack. Effectively you have some daemon there who realizes "We can't handle this" and says "Plan B: just send an ack and forget it" As you work through the backlog of requests, sanity can be restored, and people can then access until plan B is needed again. It is temporarily conceding DOS, But if you don't, the system will go under. It's like the lines from 'Slattery's Mounted Fut' (by Percy French) You prefer the soldier's maxim when desisting from the strife, Best be a coward for 5 minutes than a dead man all your life!

STATEFUL firewalls

[josephSevern]

STATEFUL firewalls are the problem. It makes no sense to put stateful firewalls in front of server farms. Any mechanism that tracks state is a DDoS intensifier. If you're running services on ports 80 and 443, put stateless ACLs on the edge routers, running in hardware, that are capable of line rate. That protects you against traffic on inappropriate ports without creating a stateful DDoS vector. If you need to mitigate application-layer attacks, do it on the servers with something like mod_security. That way you can distribute the attack across the server farm instead of running a stateful choke point that risks bringing your whole site down.

Actually a good reason for it

[Lennie]

Stateful firewalls are usually bottlenecks when a DDOS-attack happends, because they do what they are supposed to do± keep a lot of state

But during DDOS-attacks there is just to much state for the firewall to handle.

Re:Actually a good reason for it

[olden]

during DDOS-attacks there is just to much state for the firewall to handle.

Sorry, this is wrong for all except maybe the most stupid firewalls out there.

A decent firewall will not only handle a lot more connections (or attempted connections) than any server can, it can also use a range of mitigation strategies should things start to get hairy, such as weeding out states selectively/faster, outright dropping anything unusual or matching any known-bad behavior, falling back to SYN-cookies (which don't require any state to be kept) and only forwarding traffic after completion of the TCP handshake (only allowing connections from non-spoofed addresses), adaptive per-IP/subnet/network rate-limiting, etc...
Heck, firewalls from reputable companies are devices designed to handle and resist attacks, and are tested accordingly. Regardless, while those will weather DDoSs fine, they can't magically prevent your pipe from being saturated either...

TFA completely misses the point too IMHO. Worthless.

Programmed to do it...

[Bert64]

Misconfigured IPS systems are often easily abused to launch a DoS, for instance many will block an IP address which appears to be doing a syn scan, yet such scans are trivially spoofed - spoof the scans from other addresses and the IPS will dutifully block them.

As for firewalls, people are generally conditioned that a firewall is required, and in many cases end up relying entirely on the firewall (eg a device will have lots of listening ports open which dont need to be, and which are only inaccessible from the internet because of a firewall. It's extremely common to find a network with little apparently open from the outside because of a firewall, but once you get inside everything is wide open and trivially exploitable. All you need is one hole in a service which is permitted through the firewall, and the rest of the network falls easily.

A firewall should only be a SMALL component in a defence in depth strategy, your web servers should only have the services they need open, everything else closed and then the firewall should be a second line of defence which allows the same ports (since you need them), it shouldn't actually be blocking anything under normal circumstances but rather is there to provide a second barrier and point of logging incase someone does compromise the server and tries to open up additional ports or send traffic out. If the servers are only listening on the services they need (and which by definition the firewall must allow anyway) then being behind the firewall doesn't really provide you much benefit as a hacker.

In terms of DDoS, well it depends on the type of attack.
A raw packet attack, where you seek to swamp the target with more traffic than it can handle is often much easier if a firewall is involved, especially a stateful one. For each packet thats received, the firewall must process the interrupt on the outside network card, read the packet headers and process them against its ruleset, and then if the packet is allowed (which it probably will be, since most ddos attacks will focus on actual service ports) relate it to an existing state table or create a new entry, perform any necessary packet mangling such as nat translation and finally forward the packet on through the internal interface. All of this uses CPU, memory and bus bandwidth before it even hits the actual server.
Then look at the hardware that goes in to firewalls, take Cisco as an example... Their current firewalls are linux based (most commercial firewalls are linux or bsd based), and run on generic x86 hardware... According to http://en.wikipedia.org/wiki/Cisco_ASA even the most modern ASA firewalls are of a relatively modest spec, meaning that their ability to handle traffic is likely to be less than the servers behind it before even taking into account the additional load of having to do ruleset, state lookups, nat and forward the traffic back out again.

If you won't put a server on the internet without a firewall, what is the firewall itself? Most firewalls are just relatively lowend servers, running linux or bsd... What makes a cisco asa safer than a normal linux box? You allow the services you need through the firewall anyway, so the additional risk of not having a firewall and a properly configured server is very low, no extra services are really exposed but you are increasing performance and decreasing costs.

umm, okay

[Weezul]

I'm surprised at the level of ignorance displayed here on slashdot, well no I'm not but, still.

I'm perfectly willing to believe that best solution is unfirewalled webheads sporting two network cards, one internal for database and maintenance traffic, and one external with all ports blocked save http. Sure, why not?

I'm slightly more dubious when you claim it's worth all the extra man hours required for double cabling, insuring the iptables are configured correctly, etc.

Amazon E3 has thus far proved themselves DDoS proof. I'd spend the money on building the infrastructure for an emergency Amazon E3 scale up instead of worrying about firewalls.

Re:umm, okay

[Midnight+Thunder]

Amazon E3 is probably fairly safe from DDoS because of redundancy and having multiple data centers each with their own internet connection. For a DDoS attack to work you need to have the targeted service existing at one point, so when you disable their only point of presence. When the service is actually spread across locations then you reduce the risk.

I wouldn't be surprised if the sites that are likely to come down first are either single location sites or stateful transactional servers, which are harder to transparently replicate while still having security in place. I say this because stateful solutions usually require ensuring bandwidth between data centers, while keeping the servers in sync, or exposing things in encrypted cookies.

What they mean

[Nigel+Stepp]

The problem with *stateful* firewalls in front of servers is that you can DoS the link without coming *close* to using all of the bandwidth. The state table has a finite size, and it doesn't take many packets per second to fill it up, depending on how long it takes for state entries to expire.

Additionally, since a server is there to handle unsolicited requests, there's not much point in tracking state anyway.

Stateless ACLs are what you want in front of a server, not a stateful firewall.

Re:Doesn't take that much...

[icebike]

When DDOS attacks look like legitimate web hits, blackhole routing can only be used on networks that do not include web servers.

I'm a heretic on this, but firewalls are pointless

[Theatetus]

for computers that deliberately offer a server to the public. Do what you want to do with network topology, instead. If your computer offers a web server, why is it listening for anything other than HTTP requests on its public-facing interface? If its not listening for anything other than HTTP requests on its public-facing interface, what does the firewall do?