Putting stateful firewalls in front of servers can be a liability in the fight against DDoS, according to Arbor Networks.
Between the attacks by "Anonymous" and censorship
efforts by various governments, distributed denial-of-service (DDoS)
attacks were a familiar feature of news stories in 2010.
But while the sophistication of attacks may have grown during the past year,
efforts by Internet service providers have not kept pace, according to research
by Arbor Networks.
In a 12-month
study (PDF) spanning from October 2009 to September 2010, the firm
discovered that the improper use of stateful firewalls has actually left many
ISPs more susceptible to DDoS. In a survey of 111 IP network
operators from around the world, 86 percent of respondents indicated they
or their customers have placed stateful firewall and/or IPS
devices in their Internet Data Centers (IDCs). But a rise in application-layer
DDoS attacks has made that approach a liability, researchers said.
Stateful inspection makes sense in an enterprise endpoint access LAN
(local area network) where the majority of computing devices are clients,
explained Roland Dobbins, solutions architect at Arbor Networks. In a server
environment such as an IDC, however, every
incoming request to a Web server, DNS server and so on is unsolicited,
leaving no state to inspect. Each set of packets traversing a stateful firewall,
however, consumes state-table resources within those firewalls, creating a DDoS
"Even in the largest firewalls on the market, there's a limited amount
of state-table resources, and it's quite easy for attackers to programmatically
generate sufficient well-formed traffic which will conform to the firewall
policy rules, yet will 'crowd
out' legitimate traffic from real users, leading to a DoS of the servers
and applications behind the firewall," Dobbins said. "Additionally,
sufficient firewall state-table exhaustion due to attack traffic will often
times cause stateful firewalls to essentially 'fall over' and fail to forward
"We see this constantly-stateful firewalls almost invariably succumb to
DDoS attacks far more rapidly than the servers themselves would without the
firewalls there at all," he said.
Nearly half of the respondents experienced stateful firewall and/or IPS
failure as a direct result of DDoS attacks during the survey period.
The answer to this, Dobbins said, lies with access policies for servers.
Only 14 percent of the respondents said they follow the IDC
best practice of enforcing access policy via stateless access control lists
deployed on hardware-based routers and Layer 3 switches that can handle
millions of packets per second.