DDoS Attacks Turn Firewall Deployments into Liability

By Brian Prince  |  Posted 2011-02-01

DDoS Attacks Turn Firewall Deployments into Liability

Between the attacks by "Anonymous" and censorship efforts by various governments, distributed denial-of-service (DDoS) attacks were a familiar feature of news stories in 2010.

But while the sophistication of attacks may have grown during the past year, efforts by Internet service providers have not kept pace, according to research by Arbor Networks.

In a 12-month study (PDF) spanning from October 2009 to September 2010, the firm discovered that the improper use of stateful firewalls has actually left many ISPs more susceptible to DDoS. In a survey of 111 IP network operators from around the world, 86 percent of respondents indicated they or their customers have placed stateful firewall and/or IPS devices in their Internet Data Centers (IDCs). But a rise in application-layer DDoS attacks has made that approach a liability, researchers said.

Stateful inspection makes sense in an enterprise endpoint access LAN (local area network) where the majority of computing devices are clients, explained Roland Dobbins, solutions architect at Arbor Networks. In a server environment such as an IDC, however, every incoming request to a Web server, DNS server and so on is unsolicited, leaving no state to inspect. Each set of packets traversing a stateful firewall, however, consumes state-table resources within those firewalls, creating a DDoS chokepoint.

"Even in the largest firewalls on the market, there's a limited amount of state-table resources, and it's quite easy for attackers to programmatically generate sufficient well-formed traffic which will conform to the firewall policy rules, yet will 'crowd out' legitimate traffic from real users, leading to a DoS of the servers and applications behind the firewall," Dobbins said. "Additionally, sufficient firewall state-table exhaustion due to attack traffic will often times cause stateful firewalls to essentially 'fall over' and fail to forward traffic.

"We see this constantly-stateful firewalls almost invariably succumb to DDoS attacks far more rapidly than the servers themselves would without the firewalls there at all," he said.

Nearly half of the respondents experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period.

The answer to this, Dobbins said, lies with access policies for servers. Only 14 percent of the respondents said they follow the IDC best practice of enforcing access policy via stateless access control lists deployed on hardware-based routers and Layer 3 switches that can handle millions of packets per second.

Application-Layer DDoS on the Rise


When it came to application-layer DDoS attacks, HTTP, DNS and SMTP were the most frequently targeted applications, the survey found. Seventy-eight percent experienced HTTP DDoS attacks during the survey period, while 65 percent experienced DNS-focused attacks. Voice-over-IP (VoIP) systems, gaming servers and TCP port 123 were also listed as application-layer targets.

Such attacks have grown more sophisticated as service providers have become more adept at dealing with brute-force packet-flooding layer 3 and 4 DDoS attacks, Dobbins said. Attackers have also come to realize that many applications, as well as their ancillary services, are relatively fragile, nonscalable and poorly defended-if they're defended at all. This means that attackers can achieve "significant attack amplification by flooding applications with well-crafted, yet hostile transactional traffic" that ultimately allows them to take down applications with less bandwidth and effort than simple packet-flooding attacks, he said.

The report also included bad news for mobile operators. Of the 30 percent of respondents that operated mobile/fixed wireless networks, 59 percent said they have limited or no visibility into the network traffic of their wireless packet cores when it comes to classifying core traffic as potentially harmful. Only 23 percent indicated they have visibility into their wireless packet cores on par with or better than their visibility into their wireline packet cores.

"The core technologies in mobile wireless networks today are non-TCP/IP protocols; consequently, mobile wireless operators must have staff with strong skill sets with these technologies, which are considerably different from TCP/IP," Dobbins said. "Given that until the last couple of years, mobile wireless SPs [service providers] have been far more focused on voice 'minutes' rather than their data services, many have consequently heavily staffed on the voice-related side, with less emphasis on the TCP/IP data side of their businesses.

"With the explosion of usable and useful smartphones, iDevices and the skyrocketing popularity of 3G modem dongles for laptop computers and even the utilization of 3G services for remote branch office connectivity, many mobile wireless operators have in essence become 'accidental ISPs' over the last couple of years," he continued. "Consequently, they're struggling to learn and operationalize all the lessons learned by wireline operators over the last decade-and all at once, now."

Rocket Fuel