Subject – Misconceptions of Firewalls in Building Your DDOS/DOS Strategy
Over Time when speaking with our customers, there seems to be a concerning misconception that firewalling can wholly mitigate DDOS (Distributed Denial of Service) & DOS (Denial of Service) attacks. The risk of this false sense of security (quite literally!) is significant as attackers can take down your websites, harm your customer’s experiences or disrupt service. In order to offer our advice, to enable you to make better decisions about how to build your DDOS mitigation strategy, we’ve detailed out below how to get the most from your firewalls in preventing, detecting, and mitigating DDOS, as well as where more support should be needed. Once you are aware of the risks, and the true effectiveness of your controls, you can either plan to possibly accept the risk, or invest further to fully mitigate them.
Before we get into the specifics around firewalling and DDOS/DOS, it’s worth considering that a DoS should be addressed first and foremost by correct network and application design. The design should factor in an overall risk basked approach that addresses the likelihood of the risk occurring, the impact to your organisation, and what needs to be covered, as DDOS + WAF (Web Application Firewall) mitigations can be significant if a blanket approach is taken. For example, it’s best to look at what services would really impact your business workflow or your customers experience if the site/service was inaccessible for 24 hours.
What Denial of Service (DOS) Attacks Firewalls can Protect Against (plus some nuance)
Firstly lets look at attacks that firewalls can mitigate or partially mitigate in a wider architecture.
Teardrop attacks - A teardrop attack is a DoS attack that sends countless Internet Protocol (IP) data fragments to a network. When the network tries to recompile the fragments into their original packets, it is unable to.
For example, the attacker may take very large data packets and break them down into multiple fragments for the targeted system to reassemble. However, the attacker changes how the packet is disassembled to confuse the targeted system, which is then unable to reassemble the fragments into the original packets. Some firewalls can detect this approach and drop the fragmented packets accordingly. It’s like dropping a lego model on the floor, and then asking someone to rebuild it block perfect within a time limit but the instructions are all wrong.
Flooding Attack - A flooding attack is a DoS attack that sends multiple connection requests to a server but then does not respond to complete the handshake.
For example, the attacker may send various requests to connect as a client, but when the server tries to communicate back to verify the connection, the attacker refuses to respond. After repeating the process countless times, the server becomes so inundated with pending requests that real clients cannot connect, and the service becomes “busy” or even crashes. Again some firewalls are designed to detect and help prevent these attacks.
Some Application Attacks – For Example, Slow HTTP requests. In a slow HTTP attack requests are sent in pieces slowly, individually to a web server. The request may never be completed or the transfer rate kept very low so that it consumes server resources while the server waits for the remaining data. While waiting for that data more and more concurrent connections are made maxing out the servers concurrent connections resulting legitimate traffic not being able to connect or the web server crashing.
Some Protocol Attacks – eg: TCP Reset, in this type of attack an adversary sends forged TCP segments with an RST (Reset) flag. By doing this the hope is that the firewall will drop legitimate TCP connections. Done in a sufficient manner or targeted can result in DOS of those services.
Note - Firewalls have an innate capability to log and prevent incorrect/sub-optimal/irregular TCP traffic, which is often attributed to DDoS, but is actually more likely a targeted cyber-attack or DoS. Application FW’s and some Next Generation FW’s can also do this for other protocols such as HTTPS. They can also be the target of attacks if the appliances are found to have vulnerabilities with exploits, with potential being higher than internal devices due to firewalls often being edge devices that are internet facing.
Another point is that I would balance out the partial protection with the following consideration, Firewalls tend to be fragile and almost any regular DoS attack would bring them down, mainly because of their other computational duties, eg:
- Translation session control
- VPN – IPSEC and SSL
- Routing (unfortunately ever more common these days)
- Switching aggregation technologies (LACP, PAG etc.)
- Inspection (super intense bro)
The additional computational load/strain of a DOS attack plus the above day to day load can lead to a denial of service in of itself as you have the appliances go down.
Provided you’ve set up your firewalls DDOS/DOS mitigation tools correctly, you’re partially protected against a narrow range of DDOS/DOS attacks. However the most common attack isn’t covered.
What DOS can Firewalls NOT protect Against (plus some nuance)
Volumetric Attack (Distributed Denial of Service - DDOS) – This is where Firewalls are particularly ineffective, along with other on-premises hardware ,as they have limited bandwidth, which includes the size of the circuit coming into the enterprise (this is of particular concern due to Volumetric attacks being the most common DOS attack – F5 Attack Trends 2020). Typical organizations typically have anywhere from 100mb to 5 Gbps worth of bandwidth from their internet service providers (ISPs) but when you consider that the average size of a DDoS attack is 6.63Gbps (and often quite a bit higher), that bandwidth can quickly become overwhelmed and the attack proceeds without any capability of the firewall, other hardware or even the circuit being able to cope with the load. – See here from Neustar for more info.
Protocol Attack - A protocol attack is a type of DDoS attack that exploits weaknesses in Layers 3 and 4 of the OSI model. For example, the attacker may exploit the TCP connection sequence, sending requests but either not answering as expected or responding with another request using a spoofed source IP address. Unanswered requests use up the resources of the network until it becomes unavailable.
Application-based Attack - An application-based attack is a type of DDoS attack that targets Layer 7 of the OSI model. An example is a Slowloris attack, in which the attacker sends partial Hypertext Transfer Protocol (HTTP) requests but does not complete them. HTTP headers are periodically sent for each request, resulting in the network resources becoming tied up. The attacker continues the onslaught until no new connections can be made by the server. This type of attack is very difficult to detect because rather than sending corrupted packets, it sends partial ones, it uses little to no bandwidth and as it’s targeted at an application/web level the firewall is less likely to be able to detect it.
Additionally you may find that not all applications or services may sit behind a firewall but maybe in your DMZ (like website and DNS systems) and those may not be covered by your FW.
What should you do?
We’ve drafted below some points to consider to help you mitigate DDOS challenges.
- Ensure you’re applying good architecture and design principles to your network and applications.
- Inspect what your firewall can mitigate from a DOS/DDOS perspective and enable those functions, where applicable.
- Identify & mitigate the areas where your firewall cannot mitigate ie: volumetric attacks on your customer facing websites, or your key corporate application portal
Typically volumetric attack can only be mitigated by the following:
- ISP – Although this is typically less popular as few people have a single ISP’s, especially in a global context and with SDWAN reducing the MPLS model of old.
- Cloud based DDOS Mitigation Provider (Cloudflare, Imperva, F5 etc)
- Specific DDoS prevention tech (ironically often employed by the ISP and CDN’s anyway)
If you want any help determining what the best approach is or what technologies would help you better protect your infrastructure please contact us on firstname.lastname@example.org.
A great breakdown of different type of attacks you can read about here
Cloudflare, What is a DDos Attack? - https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-ddos-attack/
Imperva, DDoS Attacks - https://www.imperva.com/learn/ddos/ddos-attacks/.
Another really good read is actually this F5 Article – F5 DDOS Protection Reference Architecture, it breaks down the types of attacks into this table and what solution/approach is appropriate. F5 provides different solutions at different levels and not just cloud based.