February 01, 2011, 2:31 PM — Here's another one of those completely expected, entirely intuitive results from a closer dissection of digital security incidents: putting up a firewall to fend off or retard DDOS attacks may actually make them worse.
The problem is not with the firewalls or intrusion prevention systems (IPS) themselves, according to a report that came out this morning from security vendor Arbor Networks.
The problem for once isn't really the skills of the people setting up the security; it's the standard expectation of how willing a company's network should be to take a connection request seriously without knowing for sure that it's legitimate.
Most companies just plunk firewalls and IPS devices down in front of servers, often putting them right on the network edge as the initial gatekeepers.
They're not designed for that. Firewalls and IPS boxes are designed to take a request and examine it, comparing it against a set of policies to see if it should be allowed in and where it should go.
DDOS attackers take advantage of that by flooding those devices with requests, each of which they have to consider carefully.
The Arbor report makes clear that DDOS attacks are increasing not only in frequency, but also in the volume of packets involved, allowing them to overwhelm even high-performance routers or firewall servers.
Of the 111 global service providers it surveyed, the maximum volume of data involved in a DDOS attack more than doubled from 2009, to 100Gbit/sec, which is 10 times the largest attack in 2005.
Half of all respondents in 2010 reported a failure due to DDOS, which could have been avoided with either more selective router configuration or by adding a layer of security at the edge of the network that can shed bogus DDOS or other unauthorized traffic before it gets to the firewalls.
Policies like that may mean some well-meaning packets are turned away at the door, but they will also let firewalls do their real job of filtering exploits of authentication or applications rather than setting them up on the edge of the network to be hosed to death by the first botnet that realizes they're a stationary target.
That's not the whole answer, of course, and Arbor's report doesn't provide one either.