t is hard to protect a server against Denial of Service attacks, DoS/DDoS. The two simple ways I can think of is to use a server with much resources (e.g. CPU and memory), and to build the server application to scale-up very well. Other protection mechanisms is probably used by the firewall. I can think of black-listing IP-addresses, but I don't really know how it works. And there is probably other techniques that are used by the firewall to protect against DDoS attacks.
What techniques do advanced firewalls use to protect againt DoS/DDoS attacks?
attack-prevention network firewalls ddos
linkimprove this question
edited Nov 22 '10 at 12:28
AviD♦
9,29811546
asked Nov 12 '10 at 0:28
Jonas
38126
100% accept rate
feedback
4 Answersactiveoldestvotes
up vote
8
down vote
accepted
Those are really two different, though similar, attacks.
"Regular" DoS is based on trying crash the server/firewall, through some kind of bug or vulnerability. E.g. the well known SYN Flood attacks. The protection against these, are of course specific to the flaw (e.g. SYN cookies), and secure coding/design in general.
However, DDoS simply attempts to overwhelm the server/firewall by flooding it with masses of apparently legitimate requests.
Truthfully, a single firewall cannot really protect against this, since there is no real way to mark the "bad" clients. It's just a question of "best-effort", such as throttling itself so it doesnt crash, load balancers and failover systems, attempting to blacklist IPs (if not according to "badness", then according to usage), and of course, actively notifying the administrators.
This last might be the most important, since in cases of apparent DDoS (I say apparent, because just regular peak usage might look like DDoS - true story) it really takes a human to differentiate the context of the situation, and figure out whether to shut down, best effort, provision another box, etc (or employ counter-attack... ssshhh!!)
linkimprove this answer
answered Nov 12 '10 at 0:39
AviD♦
9,29811546
feedback
up vote
9
down vote
My experience of DoS and DDoS attacks is based from being a Cisco engineer for an ISP and later as a Security Manager for a very large Global. Based on this experience has shown to effectively deal with large scale and complex attacks requires a good partnership between the organisation under attack and their ISP or DDoS mitigation partner (Yes there are now companies dedicated to this, in essence they are a very large ISP in their own right but use their global network to take on the additional traffic generated during an attack).
Below are some considerations if you face an attack that is outside of your bandwidth tolerance (aka bandwidth consumption) and you need help in responding.
Where no mitigation partner exists: Establish a strong relationship with your ISP. Identify the right teams and contacts that you will need if there is an attack.
Use your firewall (or other logging device) to obtain evidence of the attack (source IP, protocol, packet length, etc) as this information can be hugely valuable to the ISP in deciding how to respond. It's not fun trying to trap traffic on a cisco routing device from the command line at 3am in the morning! So any help is appreciated. :-)
With this your likely approach will be to filter out the traffic within the ISP cloud. If you have been able to provide enough information and the traffic is such then the ISP may well be able to filter out the malicious traffic and leave valid network traffic free to access your network. However if you are causing latency issues for the ISP then they are likely to black-hole your entire route at their BGP gateway and you will disappear from the net. Additional routing filters cause load on gateways, so don't expect your ISP to add multiple filters as this may well impact on their other users.
Using a mitigation partner:
I can only speak from the experience of one provider for this, so you will need to do your homework to decide if you require this and if so who would be best placed to provide.
The service was based upon BGP route advertisement and attack monitoring. Once an attack had been identified the mitigation partner advertises your route to pass through their network, where core routers are used to filter out the malicious traffic prior to passing on to the organisation.
My role in all of this was to test the implementation of a partnered approach to DDoS mitigation. This involved utilising a global team of security engineers to generate enough traffic to make for a valid test. We were testing both the ability to identify an attack and then to respond effectively. Based on this, we were very impressed with their overall approach and the solution worked.
linkimprove this answer
answered Nov 24 '10 at 13:15
David Stubley
1,503114
Interesting, wasnt familiar with this concept. Though the original question was purely technical as to what mechanisms firewalls have, this definitely can be important to an org that is looking for solutions. – AviD♦ Nov 24 '10 at 14:05
feedback
up vote
4
down vote
Close all ports not in use. Also have the firewall blacklist that IP for a amount of time if they run too many requests. Bogon filtering might help too.
linkimprove this answer
answered Nov 12 '10 at 0:39
Bubby4j
1,060212
+1 for introducing me to the term Bogon Filtering. I'm feeling like a bogan today.. :) – Anonymous Type Nov 16 '10 at 23:06
feedback
up vote
2
down vote
DDOS is usually done by sending an overwhelming amounts of packets to the server, in which the server will frantically try to process, naturally. Once a firewall notices a possible DDOS it may be configured to blacklist any clients with high enough PPS (Packets Per Second).
Filters may be turned on and off at any time, so that if you experience a DDOS you may turn on a filter with a very strict ruleset.
http://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos
