Firewalls and IPS have become a standard in network protection, installed in every network just like stone walls once fortified every medieval fortress or castle. Although they have greatly advanced over the years in safeguarding networks against a wide variety of cyber threats, they remain vulnerable to today’s massive DDoS attacks because of the way they are designed. Many organizations, including financial institutions, gaming companies, telecom networks and other enterprises, experience DDoS attacks even though they are equipped with a Firewall and IPS. Ironically, during a DDoS attack these security functions are likely to become the weakest link of the entire network security.
During a DDoS attack, a cybercriminal most often attacks internet facing servers or services with massive volumetric floods (TCP SYN, UDP, and HTTP floods). These attacks are carried out using ports which are commonly open on most firewalls: 80, 53, 25 and 443, to name a few. The attacker’s goal is to employ threat vectors that exploit the weaknesses at the network/application header layer.
A firewall is a stateful device that is designed and configured to block undesired ports. Volumetric flood attacks on ports which remain open on the firewall to allow service delivery traffic, exploit the stateful nature of the firewall by filling up the state tables with volumes of unwanted traffic, so that it has little time to pass legitimate traffic. This creates a bottleneck that may result in an entirely dysfunctional firewall. Like in medieval times, when breaking a castle’s wall successfully led attackers to victory, cyber-attackers take advantage of the firewall vulnerability, utilizing DDoS as a technique to disable it, making way to a successful breach.
An IPS is deployed deeper in the network, typically behind the firewall. It allows only legitimate known traffic to pass through, while blocking a wide range of intrusions such as server exploits, code injections, cross site scripting attempts, etc. Since most of the intrusions occur at the application layer, the IPS performs deep packet inspection (DPI) to prevent them. The problem is that if an IPS has to deal with the massive volumes of DDoS traffic on top of other traffic, it becomes flooded, resulting in a bottleneck or even worse: allowing hostile traffic to pass through uninspected due to the lack of machine resources.
A Firewall, an IPS, or even a combination of the two, may give a false sense of security. Security professionals are typically aware of this issue, and are deploying separate DDoS mitigation solutions, like the Allot ServiceProtector, at the edge of their network. Allot ServiceProtector DDoS mitigation system inspects traffic and analyzes abnormalities fast and efficiently to pinpoint threats. It then instantaneously mitigates the attacks at line rates of tens and even hundreds Gbps without dropping legitimate traffic (zero false positives). ServiceProtector not only minimizes the effects of DDoS attacks on service, but also supplements the firewall and IPS systems, providing a stronger first line of defense in protecting the network against cyber enemies.