. Webscreen Technology logo Secure Portal Login .
photo: business meeting
 
WHY TRADITIONAL SECURITY PRODUCTS FAIL TO STOP DDOS
Routers, firewalls and IDS may not be enough to cope with a DDoS attack...
 
...
 
VULNERABILITY ASSESSMENT
Rather than wait until your company is targeted you can have your systems' vulnerability tested FREE by a Webscreen security expert...
 
...
 
WHERE TO BUY
Find out where to buy total protection for your webserver...
 
...
 
DOWNLOAD BROCHURES
Download the Webscreen product brochures.
 
...
 
DOWNLOAD WHITE PAPER
Download our free White Paper: Extending Network Integrity Software to Deliver Guarantee of Service (GoS) for Critical Applications and Services.

Why Traditional Security Products
Fail to Stop DDoS

Monitoring and securing the layers in the OSI model has historically been handled by routers, firewalls and Intrusion Detection Systems ("IDS"). Routers are designed to analyze outgoing or incoming traffic and route it to its intended destination. In the process, routers are capable of simple filtering techniques which can provide some protection. Firewalls are designed to prevent malicious or unauthorized traffic from entering a network, essentially acting as an advanced switch, denying or allowing network access according to information found in a firewall access control list.

IDS tools are somewhat more passive than firewalls, performing a monitoring and reporting role rather than the boundary guard duty traditionally tasked to firewalls. All three solutions are effective at protecting enterprises from many forms of cyber-crime. None, however, was designed to defend against denial of service attacks. Not surprisingly they have serious limitations when faced with a state-of-the-art DDoS attack.

Routers

Multiple types of routers exist throughout the network hierarchy, each performing a different function for each layer of the network. Although routers are capable of mitigating certain simple attacks, such as ping attacks, by filtering nonessential protocols, they are not effective at mitigating the bulk of DDoS attacks:

  • A router can filter invalid IP address spaces but this is ineffective against today's DDoS attacks that spoof valid IP addresses. Additionally, most routers cannot support access control lists (used to filter invalid IP addresses) larger than 100 lines, far shy of the tens-of-thousands of IP addresses used in many DDoS attacks.
  • It is also suggested that routers may use rate-limiting to mitigate DDoS attacks by limiting the rate at which traffic flows through the router. Although it is, good practice to block non essential protocols, from a DoS perspective this method has little benefit as most DDoS attacks use valid protocols that are essential for internet operations, rendering filtering by protocol useless.

Firewalls

The Firewall is generally an organisation's first line of defence. The Firewall acts as a "middle man" between trusted and un-trusted hosts. As such it has very limited capabilities when it comes to handling services that must be open to the general internet public (web service, DNS, etc.).

Attacks mitigated by many firewall systems include certain known worms, malicious URLs, directory traversal attacks, WebDAV attacks, and man-in-the-middle attacks. DDoS attacks, however, which specifically target general public services, simply can not be stopped by firewalls. In short, if the attack is using legitimate means as in a connection flood scenario, which is from valid IP addresses, then the firewall will simply let the traffic through as it has no ability to filter the good traffic from the bad. This traffic will eventually tie up the web servers, resulting in severe service degradation or worse, a complete service outage.

Additionally, most firewalls have client tables that can fill up very quickly when up against standard DDoS exploits such as a randomly generated SYN flood. Once these tables are full, a firewall typically fails. The same is true for load balancers and layer 5 switches.

AS A RESULT, ANY PRODUCT POSITIONED BEHIND A FIREWALL WILL FAIL TO MITIGATE A DDoS ATTACK BECAUSE THE FIREWALL WILL BE THE POINT OF FAILURE.

Intrusion Detection System (IDS)

By design, IDS is a passive, rather than proactive, solution. Its only purpose is to analyze traffic and to detect and identify different types of attacks when they occur.

While the data generated by the various detection devices provides the targeted company and its ISP with the information required to respond quickly to an attack, it does very little to actually mitigate the attack. In fact, because IDS needs to look at nearly every packet in a flow to detect events, DDoS attacks can often cause IDS systems to fail by the sheer volume of the attack. Webscreen Technology has also witnessed DDoS attacks used to confuse IDS tools, effectively masking targeted attacks on vulnerable network points.

Server Farm Failure

The final critical failure point is the web server farm. Any attack that reaches this level will typically overload TCP state tables, in the process taking any targeted web servers quickly offline. With Unix based systems, mbufs (memory buffers) fill quickly, and kernels' malloc (memory allocation) tables fail. Apache fails quickly with the IP stack resources full on the operating system. Windows IIS based systems have the same problems as Unix based systems.

© Webscreen Systems Limited 2006 Home  |  Site Map  |  Articles  |  Privacy Statement  |  Print Page  
site design and development by Stolenegg