Why Your Firewall Might Be Useless Against a DDoS Attack

So you’ve spent some money on a shiny new firewall, and you have it mounted nicely in the rack right next to your ethernet switch(es) and DSL/cable modem. You’re all set, right?

Well, maybe not. A company here on Long Island ran into trouble last week when the website they are hosting on a server in their office went down. Yes, the server is in an office with a single Internet connection, but I’m not going to bother with the discussion about how hosting your site on a single-homed network is a bad idea. We’ll save that for another day. Turns out that the site was down primarily because of a distributed denial of service (DDoS) attack against the web server. Why was someone attacking the web server? Who knows, but it was causing serious problems for those folks and something had to be done about it. I’ll spare you the suspense and let you know right away that one of our affiliated tech gurus was able to solve the problem for them, but it did point out one item that people tend to forget about when it comes to network attacks.

Often even the best firewall in the world will be useless against a DDoS attack. This is because firewalls are really good at filtering and blocking traffic using all kinds of nifty algorithms, but they can’t do that until said traffic gets to them.

Lets say that you have a cable modem that runs at 20 Mbps downstream and 5 Mbps upstream. That means that in the very best case, you can move 20 megabits per second worth of data down that pipe and into your home/office/network/whatever. Now lets say that someone decides that you’re a good target to attack because they find the website you’re hosting in the office to be distasteful in some way. They decide to launch a modestly scaled attack on you, and suddenly your web server is subject to a 65 Mbps torrent of miscreant packets designed to make it feel really badly. Have you seen the problem yet?

The problem in this case is not that there are nasty packets coming your way. Presumably your trusty firewall will know now to block those (if you have it configured correctly – also another story). The problem is the amount of data you have to deal with. That 65 Mbps stream is WAY more than your 20 Mbps cable modem can handle, so while your firewall is happily dropping packet after packet on the floor for you, your pipe is full and nothing can get to you any longer. Filter until you’re blue in the face, because your website, and the rest of your office, is now effectively offline. You might as well unplug your cable modem and call it a day because the bad guys have won.

So what can you do? In some cases the attack is not large enough to fill the incoming pipe. Once you’ve filtered it and rendered it ineffective, the attackers simply go away and move along to the next dirty deed on their to-do list. Luckily this is what happened to our friends last week. A bit of intelligent firewall configuration and they were back in business. In the case where the attack is large enough to fill your pipe, you have no choice but to enlist the aid of your access provider. Those black-hat packets have to be stopped before they get into your pipe, and only your provider can do that. In some instances your access provider can “null route” the IP address under attack. In more complex instances where you have multiple access providers and are running a dynamic routing protocol, you might be able to make this happen automatically using BGP community strings. Sometimes you’ll have to call and work your way through the phone maze to find the people that can help. In other cases, your access provider might simply shrug its shoulders and decide that you’re on your own. Sadly, this also happened here last week (shame on you, Optimum Lightpath!).

The point is, network attacks are a fact of life on the Internet, so do yourself a favor and plan to spend 20-30 minutes on the phone with your service provider at some point in the near future finding out how they will help you deflect an attack if you ever find yourself in that position. Document the procedure – who needs to be called or emailed, what information they’ll need, and how long it might take for them to take action. Having it all written down will go a long way toward calming things down when you’re under the gun. Also be sure you’re familiar with the DNS for your domains and how its all controlled. When combating a network attack there is likely going to be some DNS changes to be made, so don’t wait until things are out of control to learn how to do that, or who can do it for you.

A little knowledge, and a little advance preparation, can go a long way toward making a bad situation easier to deal with.

In future blog postings we’ll talk about how site-crippling network attacks can be avoided/handled by having your sites hosted with a hosting/co-location/datacenter provider.

—-

Photo Credit: quinn.anya via Compfight cc