It should go without saying that not all distributed denial of service (DDoS) defenses are created equal. Whether it’s a web application firewall (WAF), content delivery network (CDN) or traditional firewall, every “defense” has its own purpose, potential and peril.
Over the past couple of years, we’ve seen a steady number of organizations use firewalls to mitigate DDoS attacks. The reasoning, they claim, is that firewalls can be updated to provide protection against DDoS attacks. But the problem is firewalls were not designed and are not built to withstand large-scale DDoS attacks.
Without getting too technical, it’s important to note what a firewall does.
Firewalls provide perimeter access control by monitoring and tracking permitted network traffic flows. In many ways, a firewall plays the role of a network’s traffic cop. It allows the good packets to proceed unimpeded and blocks bad packets from gaining access to your network.
Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack. Here are three reasons why:
1. Firewalls can be easily overwhelmed and rendered useless
Firewalls - and other on-premises hardware - have limited bandwidth, which includes the size of the circuit coming into the enterprise. Many organizations have anywhere from 1 to 5 Gbps worth of bandwidth from their internet service providers (ISPs), which sounds like a good enough number. But when you consider that the AVERAGE size of a DDoS attack is 6.63 Gbps, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.
2. Firewall Rules Management
Firewall rules management is a dangerous way to fend off DDoS attacks because firewalls can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls. Firewalls should be thought of as an ELEMENT of a defense strategy, not a complete solution.
3. Not all targeted assets are behind a firewall
Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets. If the DDoS attack on the DNS is successful, there is no web presence and no application availability. Needless to say, that's not good.
So, what works?
Increasingly, industry experts are recommending that organizations use a comprehensive DDoS solution that’s capable of providing cloud-based protection should the attacker attempt to overwhelm the existing on-premise defense. And as attackers continue to shift and refine their tactics, solely relying on a firewall solution creates a dangerous proposition.
DDoS attacks represent an unfortunate reality for today’s companies, stinging 84% of businesses worldwide. DDoS attacks are no longer a matter of if companies will get hit, it's now a question of how often and how long.
