79

It is hard to protect a server against Denial of Service attacks, DoS/DDoS. The two simple ways I can think of is to use a server with much resources (e.g. CPU and memory), and to build the server application to scale-up very well. Other protection mechanisms is probably used by the firewall. I can think of black-listing IP-addresses, but I don't really know how it works. And there is probably other techniques that are used by the firewall to protect against DDoS attacks.

What techniques do advanced firewalls use to protect againt DoS/DDoS attacks?

AviD
  • 72,138
  • 22
  • 136
  • 218
Jonas
  • 5,063
  • 7
  • 32
  • 35
  • Related: http://serverfault.com/q/531941/87017 – Pacerier Dec 07 '14 at 17:28
  • I don't think this can be made as a answer, but for future reference, many small companies that does not run critical services on the one being attacked, they simply shut them down, while preparing a solution for the problem. It happenned in Eve Online, for instance, in the last year. – Malavos Dec 30 '14 at 14:15

5 Answers5

42

My experience of DoS and DDoS attacks is based from being a Cisco engineer for an ISP and later as a Security Manager for a very large Global. Based on this experience, I have found that to effectively deal with large scale and complex attacks requires a good partnership between the organisation under attack and their ISP or DDoS mitigation partner (Yes there are now companies dedicated to this, in essence they are a very large ISP in their own right but use their global network to take on the additional traffic generated during an attack).

Below are some considerations if you face an attack that is outside of your bandwidth tolerance (aka bandwidth consumption) and you need help in responding.

Where no mitigation partner exists: Establish a strong relationship with your ISP. Identify the right teams and contacts that you will need if there is an attack.

Use your firewall (or other logging device) to obtain evidence of the attack (source IP, protocol, packet length, etc) as this information can be hugely valuable to the ISP in deciding how to respond. It's not fun trying to trap traffic on a Cisco routing device from the command line at three in the morning! So any help is appreciated. :-)

With this your likely approach will be to filter out the traffic within the ISP cloud. If you have been able to provide enough information and the traffic is such then the ISP may well be able to filter out the malicious traffic and leave valid network traffic free to access your network. However if you are causing latency issues for the ISP then they are likely to black-hole your entire route at their BGP gateway and you will disappear from the net. Additional routing filters cause load on gateways, so don't expect your ISP to add multiple filters as this may well impact on their other users.

Using a mitigation partner:

I can only speak from the experience of one provider for this, so you will need to do your homework to decide if you require this and if so who would be best placed to provide.

The service was based upon BGP route advertisement and attack monitoring. Once an attack had been identified the mitigation partner advertises your route to pass through their network, where core routers are used to filter out the malicious traffic prior to passing on to the organisation.

My role in all of this was to test the implementation of a partnered approach to DDoS mitigation. This involved utilising a global team of security engineers to generate enough traffic to make for a valid test. We were testing both the ability to identify an attack and then to respond effectively. Based on this, we were very impressed with their overall approach and the solution worked.

hft
  • 4,910
  • 17
  • 32
David Stubley
  • 2,886
  • 1
  • 17
  • 28
  • 2
    Interesting, wasnt familiar with this concept. Though the original question was purely technical as to what mechanisms *firewalls* have, this definitely can be important to an org that is looking for solutions. – AviD Nov 24 '10 at 14:05
  • 2
    While firewalls/IPS offer good defense against DoS/DDoS based off of exploit, a powerful flood will still flood your pipe even if you have a really good robust firewall rule in place. Sadly, the only way to prevent this sort of thing from happening is to partner with a mitigation vendor. (or appliance, there is one out there that claims to stop DDoS, but I've yet to actually see it in use, just in demos) My org is in the middle of a mitigation partnership. – g3k Jan 22 '13 at 16:09
  • There is something called as aggressive aging on some stateful firewalls.We can configure the firewall to age out inactive sessions(on the firewall) at a faster rate and then configure the firewall to send a rst packet to the server when the session ages out on the firewall.Not a very good solution :D but support engineers employ sub optimal solutions at times of panic :). The solution works when the DDOS attack aims to create tcp sessions on the server to max out the memory and it assumes that there wont be any packets send to the server from malicious hosts after the session is created. – aRun Mar 15 '13 at 05:56
41

Those are really two different, though similar, attacks.

"Regular" DoS is based on trying crash the server/firewall, through some kind of bug or vulnerability. E.g. the well known SYN Flood attacks. The protection against these, are of course specific to the flaw (e.g. SYN cookies), and secure coding/design in general.

However, DDoS simply attempts to overwhelm the server/firewall by flooding it with masses of apparently legitimate requests.
Truthfully, a single firewall cannot really protect against this, since there is no real way to mark the "bad" clients. It's just a question of "best-effort", such as throttling itself so it doesnt crash, load balancers and failover systems, attempting to blacklist IPs (if not according to "badness", then according to usage), and of course, actively notifying the administrators.
This last might be the most important, since in cases of apparent DDoS (I say apparent, because just regular peak usage might look like DDoS - true story) it really takes a human to differentiate the context of the situation, and figure out whether to shut down, best effort, provision another box, etc (or employ counter-attack... ssshhh!!)

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 3
    Counter-attack.... but how do we attack someone we can't identify with certainty? – Pacerier Dec 07 '14 at 17:36
  • 4
    IIRC, the pentagon [researched several ways to counter-attack](http://www.securityweek.com/pentagon-boosts-spending-fight-cyber-attacks) a DDoS for their XD3-project. One of those counter-attacks they were thinking about were - rockets. So ... who needs precision, when you have blast-radius? :) – hamena314 Aug 18 '16 at 14:13
8

One type of protection against DDOS not performed directly by firewalls is to distribute the contents of the page worldwide in a way that all requests that come from a country are performed against a local server and the requests from another country, to the same URL or domain, are performed against other local servers distributing the load between local servers and not overloading a unique server. Another point of this system is that requests do not travel too far.

This is a work for DNSs and the infrastructure is called Content Delivery Network or CDN.

Companies as CloudFlare offers this kind of services.

kinunt
  • 2,759
  • 2
  • 23
  • 30
5

DDOS is usually done by sending an overwhelming amounts of packets to the server, in which the server will frantically try to process, naturally. Once a firewall notices a possible DDOS it may be configured to blacklist any clients with high enough PPS (Packets Per Second).

Filters may be turned on and off at any time, so that if you experience a DDOS you may turn on a filter with a very strict ruleset.

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
2

I like to answer the first part of question that is "use a server with much resources (e.g. CPU and memory) to scale up application". It is recommended to perform application scaling before performing server scaling. The application profiling can be broken down into following steps:

  1. Loading Testing: Perform stress testing on you application through load testing tools such as pylot.
  2. Query optimization: Second task is optimize query i.e query that may work efficiently for small database but fails to scale-up for large databases.
  3. Application sharding: deploying most access content on faster disk.

There is a lot to add-up this list and a good read up is "How to scale a web application"

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61