Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    DDoS Attacks Turn Firewall Deployments into Liability

    By
    Brian Prince
    -
    February 1, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Between the attacks by “Anonymous” and censorship efforts by various governments, distributed denial-of-service (DDoS) attacks were a familiar feature of news stories in 2010.

      But while the sophistication of attacks may have grown during the past year, efforts by Internet service providers have not kept pace, according to research by Arbor Networks.

      In a 12-month study (PDF) spanning from October 2009 to September 2010, the firm discovered that the improper use of stateful firewalls has actually left many ISPs more susceptible to DDoS. In a survey of 111 IP network operators from around the world, 86 percent of respondents indicated they or their customers have placed stateful firewall and/or IPS devices in their Internet Data Centers (IDCs). But a rise in application-layer DDoS attacks has made that approach a liability, researchers said.

      Stateful inspection makes sense in an enterprise endpoint access LAN (local area network) where the majority of computing devices are clients, explained Roland Dobbins, solutions architect at Arbor Networks. In a server environment such as an IDC, however, every incoming request to a Web server, DNS server and so on is unsolicited, leaving no state to inspect. Each set of packets traversing a stateful firewall, however, consumes state-table resources within those firewalls, creating a DDoS chokepoint.

      “Even in the largest firewalls on the market, there’s a limited amount of state-table resources, and it’s quite easy for attackers to programmatically generate sufficient well-formed traffic which will conform to the firewall policy rules, yet will ‘crowd out’ legitimate traffic from real users, leading to a DoS of the servers and applications behind the firewall,” Dobbins said. “Additionally, sufficient firewall state-table exhaustion due to attack traffic will often times cause stateful firewalls to essentially ‘fall over’ and fail to forward traffic.

      “We see this constantly-stateful firewalls almost invariably succumb to DDoS attacks far more rapidly than the servers themselves would without the firewalls there at all,” he said.

      Nearly half of the respondents experienced stateful firewall and/or IPS failure as a direct result of DDoS attacks during the survey period.

      The answer to this, Dobbins said, lies with access policies for servers. Only 14 percent of the respondents said they follow the IDC best practice of enforcing access policy via stateless access control lists deployed on hardware-based routers and Layer 3 switches that can handle millions of packets per second.

      Application-Layer DDoS on the Rise

      When it came to application-layer DDoS attacks, HTTP, DNS and SMTP were the most frequently targeted applications, the survey found. Seventy-eight percent experienced HTTP DDoS attacks during the survey period, while 65 percent experienced DNS-focused attacks. Voice-over-IP (VoIP) systems, gaming servers and TCP port 123 were also listed as application-layer targets.

      Such attacks have grown more sophisticated as service providers have become more adept at dealing with brute-force packet-flooding layer 3 and 4 DDoS attacks, Dobbins said. Attackers have also come to realize that many applications, as well as their ancillary services, are relatively fragile, nonscalable and poorly defended-if they’re defended at all. This means that attackers can achieve “significant attack amplification by flooding applications with well-crafted, yet hostile transactional traffic” that ultimately allows them to take down applications with less bandwidth and effort than simple packet-flooding attacks, he said.

      The report also included bad news for mobile operators. Of the 30 percent of respondents that operated mobile/fixed wireless networks, 59 percent said they have limited or no visibility into the network traffic of their wireless packet cores when it comes to classifying core traffic as potentially harmful. Only 23 percent indicated they have visibility into their wireless packet cores on par with or better than their visibility into their wireline packet cores.

      “The core technologies in mobile wireless networks today are non-TCP/IP protocols; consequently, mobile wireless operators must have staff with strong skill sets with these technologies, which are considerably different from TCP/IP,” Dobbins said. “Given that until the last couple of years, mobile wireless SPs [service providers] have been far more focused on voice ‘minutes’ rather than their data services, many have consequently heavily staffed on the voice-related side, with less emphasis on the TCP/IP data side of their businesses.

      “With the explosion of usable and useful smartphones, iDevices and the skyrocketing popularity of 3G modem dongles for laptop computers and even the utilization of 3G services for remote branch office connectivity, many mobile wireless operators have in essence become ‘accidental ISPs’ over the last couple of years,” he continued. “Consequently, they’re struggling to learn and operationalize all the lessons learned by wireline operators over the last decade-and all at once, now.”

      Brian Prince

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×