3 Reasons Why a Firewall Won’t Save You Against a DDoS Attack

RESEARCH CREW
7:44 07/05/2018
It should go without saying that not all distributed denial of service (DDoS) defenses are created equal. Whether it’s a web application firewall (WAF), content delivery network (CDN) or traditional firewall, every “defense” has its own purpose, potential and peril. Over the past couple of years, we’ve seen a steady number of organizations use firewalls to mitigate DDoS attacks. The reasoning, they claim, is that firewalls can be updated to provide protection against DDoS attacks. But the problem is firewalls were not designed and are not built to withstand large-scale DDoS attacks. Without getting too technical, it’s important to note what a firewall does. Firewalls provide perimeter access control by monitoring and tracking permitted network traffic flows. In many ways, a firewall plays the role of a network’s traffic cop. It allows the good packets to proceed unimpeded and blocks bad packets from gaining access to your network. Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack. Here are three reasons why: 1. Firewalls can be easily overwhelmed and rendered useless Firewalls - and other on-premises hardware - have limited bandwidth, which includes the size of the circuit coming into the enterprise. Many organizations have anywhere from 1 to 5 Gbps worth of bandwidth from their internet service providers (ISPs), which sounds like a good enough number. But when you consider that the AVERAGE size of a DDoS attack is 6.63 Gbps, that bandwidth can quickly become overwhelmed and the attack proceeds unabated. 2. Firewall Rules Management Firewall rules management is a dangerous way to fend off DDoS attacks because firewalls can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls. Firewalls should be thought of as an ELEMENT of a defense strategy, not a complete solution. 3. Not all targeted assets are behind a firewall Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets. If the DDoS attack on the DNS is successful, there is no web presence and no application availability. Needless to say, that's not good. So, what works? Increasingly, industry experts are recommending that organizations use a comprehensive DDoS solution that’s capable of providing cloud-based protection should the attacker attempt to overwhelm the existing on-premise defense. And as attackers continue to shift and refine their tactics, solely relying on a firewall solution creates a dangerous proposition. DDoS attacks represent an unfortunate reality for today’s companies, stinging 84% of businesses worldwide. DDoS attacks are no longer a matter of if companies will get hit, it's now a question of how often and how long.
TIN LIÊN QUAN
Câu nói được sử dụng làm tiêu đề trích từ câu nói của nhà Sinh lý học và Y học Horace Freeland Judson - người đoạt giải Nobel năm 1962 cho thấy tầm quan trọng của thông tin do DNA cung cấp không chỉ ở lĩnh vực y học mà...
??Ngày 15/6 vừa qua báo điện tử Pháp luật thành phố Hồ Chí Minh bị tấn công DDoS khiến nhiều đọc giả không thể truy cập trong hai giờ liền. Nhân dịp này chúng ta cùng ôn lại kiến thức về kiểu tấn công an ninh mạng này.?? ??DDoS là...
Các ứng dụng được triển khai kỹ thuật mã hóa đầu cuối - End-to-End Encryption (E2EE)nhằm cải thiện sự riêng tư của người dùng bằng cách làm cho dữ liệu của họ không thể đọc được bởi bất kỳ ai ngoài người nhận dự định của họ, đặc biệt là...