3 Reasons Why a Firewall Won’t Save You Against a DDoS Attack

7:44 07/05/2018

It should go without saying that not all distributed denial of service (DDoS) defenses are created equal. Whether it’s a web application firewall (WAF), content delivery network (CDN) or traditional firewall, every “defense” has its own purpose, potential and peril.

Over the past couple of years, we’ve seen a steady number of organizations use firewalls to mitigate DDoS attacks. The reasoning, they claim, is that firewalls can be updated to provide protection against DDoS attacks. But the problem is firewalls were not designed and are not built to withstand large-scale DDoS attacks.

Without getting too technical, it’s important to note what a firewall does.

Firewalls provide perimeter access control by monitoring and tracking permitted network traffic flows. In many ways, a firewall plays the role of a network’s traffic cop. It allows the good packets to proceed unimpeded and blocks bad packets from gaining access to your network.

Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack. Here are three reasons why:

1. Firewalls can be easily overwhelmed and rendered useless

Firewalls - and other on-premises hardware - have limited bandwidth, which includes the size of the circuit coming into the enterprise. Many organizations have anywhere from 1 to 5 Gbps worth of bandwidth from their internet service providers (ISPs), which sounds like a good enough number. But when you consider that the AVERAGE size of a DDoS attack is 6.63 Gbps, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.

2. Firewall Rules Management

Firewall rules management is a dangerous way to fend off DDoS attacks because firewalls can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls. Firewalls should be thought of as an ELEMENT of a defense strategy, not a complete solution.

3. Not all targeted assets are behind a firewall

Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets. If the DDoS attack on the DNS is successful, there is no web presence and no application availability. Needless to say, that's not good.

So, what works?

Increasingly, industry experts are recommending that organizations use a comprehensive DDoS solution that’s capable of providing cloud-based protection should the attacker attempt to overwhelm the existing on-premise defense. And as attackers continue to shift and refine their tactics, solely relying on a firewall solution creates a dangerous proposition.

DDoS attacks represent an unfortunate reality for today’s companies, stinging 84% of businesses worldwide. DDoS attacks are no longer a matter of if companies will get hit, it's now a question of how often and how long.

🌟 ASCIS là cuộc thi CTF thường niên lớn nhất dành cho sinh viên các nước ASEAN do Hiệp hội An toàn thông tin Việt Nam (VNISA) chủ trì phối hợp với một số đơn vị tổ chức, dưới sự bảo trợ của Bộ Giáo dục và Đào tạo, Bộ...
🚩 Cuộc thi An toàn Thông tin ISITDTU CTF 2022 do trường Đại học Duy Tân, Đà Nẵng tổ chức đã chính thức khép lại vào ngày 18/12. Hai đội purf3ct (đại diện cho CNSC @UIT) và Sp33d_0f_T1m3 (đại diện do UIT) đã có màn thi đấu ấn tượng với...
Câu nói được sử dụng làm tiêu đề trích từ câu nói của nhà Sinh lý học và Y học Horace Freeland Judson - người đoạt giải Nobel năm 1962 cho thấy tầm quan trọng của thông tin do DNA cung cấp không chỉ ở lĩnh vực y học mà...