Just say No to DDOS attacks

OK, it's a little more complicated than that; but not as much as you think

Here's another one of those completely expected, entirely intuitive results from a closer dissection of digital security incidents: putting up a firewall to fend off or retard DDOS attacks may actually make them worse.

The problem is not with the firewalls or intrusion prevention systems (IPS) themselves, according to a report that came out this morning from security vendor Arbor Networks.

The problem for once isn't really the skills of the people setting up the security; it's the standard expectation of how willing a company's network should be to take a connection request seriously without knowing for sure that it's legitimate.

Most companies just plunk firewalls and IPS devices down in front of servers, often putting them right on the network edge as the initial gatekeepers.

They're not designed for that. Firewalls and IPS boxes are designed to take a request and examine it, comparing it against a set of policies to see if it should be allowed in and where it should go.

DDOS attackers take advantage of that by flooding those devices with requests, each of which they have to consider carefully.

The Arbor report makes clear that DDOS attacks are increasing not only in frequency, but also in the volume of packets involved, allowing them to overwhelm even high-performance routers or firewall servers.

Of the 111 global service providers it surveyed, the maximum volume of data involved in a DDOS attack more than doubled from 2009, to 100Gbit/sec, which is 10 times the largest attack in 2005.

Half of all respondents in 2010 reported a failure due to DDOS, which could have been avoided with either more selective router configuration or by adding a layer of security at the edge of the network that can shed bogus DDOS or other unauthorized traffic before it gets to the firewalls.

Policies like that may mean some well-meaning packets are turned away at the door, but they will also let firewalls do their real job of filtering exploits of authentication or applications rather than setting them up on the edge of the network to be hosed to death by the first botnet that realizes they're a stationary target.

That's not the whole answer, of course, and Arbor's report doesn't provide one either.

There are plenty of resources out there with instructions on how to defend against a DDOS attack, rather than just outlasting them.

Ultimately a botnet made up of thousands of machines will be able to outwork any router or firewall you put on the edge, if you don't make it smart enough not to be fooled by what amount to millions of prank phone calls.

The big risks are not the current ones, however.

Attacks on DNS networks and mobile networks -- both of which are often left unprotected by end-user companies that assume their service providers can take care of it -- are both extremely vulnerable, the report found.

There really are no ready made defenses for that, at least on the mobile front, largely because security and management tools are not advanced enough to provide the kind of visibility in them that are taken for granted on wired networks, the report found.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon