Distributed Denial of Service (DDoS) activity has increased, with research showing that a DDoS attack can cost an organization on average more than $2.5 million in revenue. These disruptive attacks are getting worse, and most single methods of defense are not enough to stop them. Every defense (i.e. content delivery networks, traditional firewalls, etc.) to this problem varies in effectiveness, depending on the type of attack.
And DDoS attacks are moving downstream, not only affecting the largest organizations. In a sampling of customers, Neustar found that 78% of organizations that generate $50M-$99M per year had experienced a DDoS attack at least once in last 12 months, and of those organizations attacked, 86% were hit more than once. Small and medium companies are inherently tempting targets because they are often the less defended with heavy tech investments, services, and staff. As well, there are common overestimations by these organizations in the “protection” offered by ISPs and cloud service providers such as Amazon Web Services. But when DDoS attacks become too large, creating collateral impact, ALL traffic to that targeted host starts getting blocked or “blackholed”. This effectively takes those businesses offline.
“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” - Abraham Maslow, The Psychology of Science, 1966
Maslow’s idea of treating everything like a nail when all you have is a hammer is similar to the way many companies use their firewall to solve every type of DDoS attack. After all, most companies already have a firewall on site so they will use this device to try and mitigate a DDoS attack. While firewalls can be updated so that they do a better job protecting against various types of DDoS, this solution by itself has several limitations.
What does a firewall do?
Your firewall monitors and tracks which packets are permitted on your network and decides which to allow access. Essentially, it allows the good packets to go through and keeps the bad ones out. For example, if you have an IP or IP range for a known attacker, you can block all traffic from that IP range from entering your network.
Here are 4 reasons why depending solely on your firewall to protect against DDoS attacks may not be a good idea:
- Open ports: While a firewall can be used to detect an attack, it’s useless against certain types. For example, a firewall can be configured to block undesired ports. But, what do you do about ports like 80 (HTTP/web), 25 (STMP/mail), 443 (SSL/web), and 53 (DNS)? These are typically left open out of necessity, however, many DDoS attacks happen on open ports such as these and as such are invisible to firewalls.
- Rules: Rules are a way for firewalls to defend against DDoS attacks, but they can be threatened by an attack that appears normal. While stateful protection has its place, better protection against DDoS requires deep packet inspection along with countermeasures to stop the attack.
- Assets outside of the firewall: While the firewall may be good for protecting internal assets, what about applications and websites on a perimeter network that could be shared with third party platforms? Or, what about DNS services that are not able to be protected by firewalls?
- Excessive traffic: Volumetric flood attacks (i.e. SYN attacks) have the ability to exploit stateful firewalls by overwhelming their state tables with excessive traffic and exploiting their limited bandwidth. This keeps legitimate traffic from being routed properly. With the average DDoS attack exceeding over 6 Gbps, equipment can quickly become overwhelmed.
You need more than just a firewall
DDoS attacks are getting worse, and Hidden Cobra, which the FBI and DHS warned about in June, is just one example. Attackers will continue to improve their tactics, increasing the risk of relying exclusively on a firewall. This is why it’s important to have a comprehensive solution to Distributed Denial of Service attacks in place before they happen.
About Nicolai Bezsonoff
Nicolai Bezsonoff is the General Manager of Security Solutions at Neustar. He spearheads the company’s industry-leading DDoS, DNS and IP Intelligence solutions, including its cybersecurity operations. Previously, he was the co-founder and COO of .CO Internet, a successful Internet company based in both Miami and Colombia, which was acquired in 2014 by Neustar. Under his tenure, .CO had incredible growth and became one of the most successful domain extensions in history, with more than 2.2 million domain names registered by people in 200 countries.