DDoS Attacks Turn Firewall Deployments into Liability

Putting stateful firewalls in front of servers can be a liability in the fight against DDoS, according to Arbor Networks.

Between the attacks by "Anonymous" and censorship efforts by various governments, distributed denial-of-service (DDoS) attacks were a familiar feature of news stories in 2010.

But while the sophistication of attacks may have grown during the past year, efforts by Internet service providers have not kept pace, according to research by Arbor Networks.

In a 12-month study (PDF) spanning from October 2009 to September 2010, the firm discovered that the improper use of stateful firewalls has actually left many ISPs more susceptible to DDoS. In a survey of 111 IP network operators from around the world, 86 percent of respondents indicated they or their customers have placed stateful firewall and/or IPS devices in their Internet Data Centers (IDCs). But a rise in application-layer DDoS attacks has made that approach a liability, researchers said.

Stateful inspection makes sense in an enterprise endpoint access LAN (local area network) where the majority of computing devices are clients, explained Roland Dobbins, solutions architect at Arbor Networks. In a server environment such as an IDC, however, every incoming request to a Web server, DNS server and so on is unsolicited, leaving no state to inspect. Each set of packets traversing a stateful firewall, however, consumes state-table resources within those firewalls, creating a DDoS chokepoint.

"Even in the largest firewalls on the market, there's a limited amount of state-table resources, and it's quite easy for attackers to programmatically generate sufficient well-formed traffic which will conform to the firewall policy rules, yet will 'crowd out' legitimate traffic from real users, leading to a DoS of the servers and applications behind the firewall," Dobbins said. "Additionally, sufficient firewall state-table exhaustion due to attack traffic will often times cause stateful firewalls to essentially 'fall over' and fail to forward traffic.

"We see this constantly-stateful firewalls almost invariably succumb to DDoS attacks far more rapidly than the servers themselves would without the firewalls there at all," he said.

Nearly half of the respondents experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period.

The answer to this, Dobbins said, lies with access policies for servers. Only 14 percent of the respondents said they follow the IDC best practice of enforcing access policy via stateless access control lists deployed on hardware-based routers and Layer 3 switches that can handle millions of packets per second.