More and more organizations realize that DDoS threats should receive higher priority in their security planning. However, many still believe that the traditional security tools such as firewalls and Intrusion Prevention Systems (IPS) can help them deal with the DDoS threat. This post explains why organizations should not count on their firewall and IPS when it comes to mitigating DDoS attacks.
Earlier this year, our Emergency Response Team (ERT) released itsannual security report based on dozens of DoS and DDoS attacks that occurred in 2012. The report found that in 33% of cases, the firewall and IPS devices were the main bottlenecks during the attack.
Why can’t firewalls and IPS handle DDoS attacks?
The simple answer is that they were not designed to do so. Firewalls and IPS focus on examining and preventing the intrusion of one entity at a time, but were not designed to detect the combined behavior of legitimate packets sent millions of times. Of course, this is a bit simplified. What follows, however, is a more detailed explanation of firewall and IPS shortcomings when it comes to effectively blocking DDoS attacks.
Firewalls and IPS is statefull devices.
As stateful devices, firewalls and IPS track all connections for inspection and store them in a connection table. Every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection.
The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a DDoS attack may include thousands of packets per second. As the first device in the organizational network to handle the traffic, the firewall or IPS will open a new connection in its connection table for each malicious packet, resulting in the quick exhaustion of the connection table. Once the connection table reaches its maximum capacity, it will not allow additional connections to be opened, ultimately blocking legitimate users from establishing connections.
DDoS mitigation devices, on the other hand, include a stateless protection mechanism that can handle millions of connection attempts without requiring connection table entries or exhausting other system resources.
Firewall and IPS cannot distinguish between malicious and legitimate users
Certain DDoS attack vectors such as HTTP floods, are composed of millions of legitimate sessions. Each session on its own is legitimate and it cannot be marked as a threat by firewalls and IPS. The problem of course is that firewalls and IPS were not designed to look at the behavior of millions of concurrent sessions as a whole, but only to examine individual sessions. This eliminates the ability to identify an attack composed of millions of valid requests.
Firewalls and IPS possess an inappropriate network location
Firewalls and IPS solutions are deployed too close to the protected servers and are not deployed as the first line of defense. However, this is precisely where DDoS attacks should be mitigated. The result is that DDoS attacks go through the protected data center without being detected by the traditional network security solutions. A dedicated DDoS mitigation solution, on the other hand, would be deployed even before the access router at the ISP hand-off, enabling the early detection of an attack.
There is no doubt that the increasing use and sophistication of DDoS attacks has fundamentally changed the security landscape. As organizations adjust their security architecture to effectively mitigate the rise in availability-based attacks, there is no question that the tools they deploy must continue to evolve as well. While firewalls and IPS continue to play an important role in protecting the network, today’s threats require a holistic solution that can secure the network and application’s layers, as well as effectively distinguish between legitimate and illegitimate traffic to keep organizations up and running.