The DDoS myth about the firewall and the IPS

Nirav Shah
By | December 16, 2014

Posted in: Network Security Trends

It is about time we put an end to the myths that often come up when choosing a network security solution to protect against distributed denial of service (DDoS) attacks.  We'll take a look at a couple of common myths, namely:

  • Myth #1: An IPS can protect against Distributed Denial of Service (DDoS) attacks
  • Myth #2: A Firewall or a Next Generation Firewall can be a first line of defense against DDoS

Do you think that the majority of financial institutions, gaming companies, and large enterprises that have come under a DDoS attack did not have firewalls (and IPSs)?  Of course they did…and yet they were still “DDoSed.” Let me put a technical angle on all of this to demystify the myths.

Before we talk about solutions to protect against DDoS, let’s first understand the types of DDoS attacks out there. Here are the top three types of DDoS attacks:

  • Volumetric floods (TCP SYN, UDP, and HTTP floods)
  • Reflective attacks (NTP, DNS, SSDP/UPnP, Chargen, SNMP); note that these are almost always amplified
  • Resource exhaustion (Fragmented and malformed traffic, Low and slow requests)

Let’s think about how an attacker would make sure that these attacks successfully get to their targets – the Internet facing servers and services.  Attackers start by targeting the ports that are most commonly open on the firewalls: 80, 53, 25 and 443, to name a few.  Attackers most often employ threat vectors that exploit the weaknesses at the network/application header layer.

Now, let’s look at the protection mechanisms provided by the Firewalls and Intrusion Prevention Systems (IPS).

A firewall is a stateful device that is designed and configured to block undesired ports. But, ports 80, 53, 25 and 443 are always open because they are the entry points for desired service delivery traffic.  The DDoS attacks, mentioned above, occur on these open ports and are therefore transparent to firewalls.  Moreover, volumetric flood attacks exploit the stateful nature of the firewall by filling up the state tables with volumes of unwanted traffic, so that it has little time to pass legitimate traffic.  Would you want that type of a bottleneck as your “first line of defense”?

An IPS is deployed deeper in the network, typically behind the firewall.  It is designed to prevent intrusions such as server exploits, code injections, cross site scripting attempts, etc. and thus performs deep packet inspection (DPI) to prevent these intrusions because they mainly occur at the application layer.  Now, if an IPS has to deal with the DDoS traffic in addition to all the other traffic, the IPS device wouldn’t be able to keep up with inspecting all of it at high throughput levels,resulting in a bottleneck.  More importantly, an IPS operates on the philosophy of only allowing known good traffic.  Under heavy load, this can often result in false positives.

Most of the IPS functionality is now being merged into Next Generation Firewalls.  And none of the NGFW/NGIPS vendors address the DDoS problem, indicating the need for a separate dedicated solution for preventing DDoS attacks.

DDoS Attack Myths about Firewalls and IPS

A DDoS mitigation system deployed in-line and at the edge of the network is the most effective protection against DDoS.  A DDoS mitigation system must conduct inspections of control traffic (network and application headers), not DPI, determine whether there is a DDoS attack present or not, and instantaneously mitigate an attack at line rates of tens of Gbps.  Furthermore, a DDoS mitigation system must operate on a “do-no-harm” philosophy of only dropping known bad traffic. The main purpose is to ensure that good traffic always get through, while making sure the effects of DDoS attacks are minimized.

As security professionals, we need to make sure that the myths about firewall and IPS devices providing DDoS protection don’t proliferate and give a false sense of security.


You May Also Be Interested In: