Why IPS and Firewalls Are Not Anti-DDoS Solutions?

Why IPS and Firewalls Are Not Anti-DDoS Solutions?

March 24, 2023 | NSFOCUS

Not all distributed denial of service (DDoS) defenses are created equal. Whether it’s a Web Application Firewall (WAF), Intrusion Prevention System (IPS), Content Delivery Network (CDN) or traditional firewall, every “defense” has its own purpose, potential and peril.

Even a firewall that claims to have Anti-DDoS capabilities built-in has only one method of blocking attacks: the usage of indiscriminate thresholds. When the threshold limit is reached, every application and every user using that port gets blocked, causing an outage. Attackers know this is an effective way to block the good users along with the attackers. Because network and application availability is affected, the end goal of denial of service is achieved.

Firewalls and IPS focus on examining and preventing the intrusion of one entity at a time, but were not designed to detect the combined behavior of legitimate packets sent millions of times.

Can Firewalls and IPS Prevent Denial of Service Attacks?

Over the past couple of years, we’ve seen a steady number of organizations use firewalls to mitigate DDoS attacks. The reasoning, they claim, is that firewalls can be updated to provide protection against DDoS attacks. But the problem is firewalls were not designed or built to withstand large-scale DDoS attacks.

Without getting too technical, it’s important to note what a firewall does. Firewalls provide perimeter access control by monitoring and tracking permitted network traffic flows. In many ways, a firewall plays the role of a network’s traffic cop. It allows the good packets to proceed unimpeded and blocks bad packets from gaining access to your network.

Firewalls and IPS can be helpful in detecting an incoming DDoS attack, but they can’t do much to defend against the attack. Here are the reasons why:

1. Firewalls Can Be Easily Overwhelmed and Rendered Useless

Firewalls — and other on-premises hardware — have limited bandwidth, which includes the size of the circuit coming into the enterprise. Many organizations have anywhere from 1 to 3 Gbps worth of bandwidth from their internet service providers (ISPs), which sounds like a good enough number. But when you consider that the average size DDoS attack is above 1 Gbps, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.

2. Firewall Rules Management

Firewall rules management is a dangerous way to fend off DDoS attacks because firewalls can be fooled if the strike initially appears to look like it’s legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls. Firewalls should be thought of as an element of a defense strategy, not a complete solution.

3. Not All Targeted Assets are behind a Firewall

Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets. If the DDoS attack on the DNS is successful, there is no web presence and no application availability. Needless to say, that’s not good.

Firewalls become a bottleneck in case of volumetric attacks. Firewalls and IPS CANT distinguish between real users and malicious users!

4. Firewalls and IPS are Stateful Devices

As stateful devices, firewalls and IPS track all connections for inspection and store them in a connection table. Every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection.

The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a DDoS attack may include thousands of packets per second. As the first device in the organizational network to handle the traffic, the firewall or IPS will open a new connection in its connection table for each malicious packet, resulting in the quick exhaustion of the connection table. Once the connection table reaches its maximum capacity, it will not allow additional connections to be opened, ultimately blocking legitimate users from establishing connections.

DDoS mitigation devices, on the other hand, include a stateless protection mechanism that can handle millions of connection attempts without requiring connection table entries or exhausting other system resources.

5. Firewalls and IPS Cannot Distinguish between Malicious and Legitimate Users

Certain DDoS attack vectors such as HTTP/HTTPS floods, are composed of millions of legitimate sessions. Each session on its own is legitimate and it cannot be marked as a threat by firewalls and IPS. The problem of course is that firewalls and IPS were not designed to look at the behaviour of millions of concurrent sessions as a whole, but only to examine individual sessions. This eliminates the ability to identify an attack composed of millions of valid requests.

6. Firewalls and IPS Possess an Inappropriate Network Location

Firewalls and IPS solutions are deployed too close to the protected servers and are not deployed as the first line of defence. However, this is precisely where DDoS attacks should be mitigated. The result is that DDoS attacks go through the protected data center without being detected by the traditional network security solutions. A dedicated DDoS mitigation solution, on the other hand, would be deployed even before the access router at the ISP hand-off, enabling the early detection of an attack.

There is no doubt that the increasing use and sophistication of DDoS attacks has fundamentally changed the security landscape. As organizations adjust their security architecture to effectively mitigate the rise in availability-based attacks, there is no question that the tools they deploy must continue to evolve as well. While firewalls and IPS continue to play an important role in protecting the network, today’s threats require a holistic solution that can secure the network and application’s layers, as well as effectively distinguish between legitimate and illegitimate traffic to keep organizations up and running.

NSFOCUS Anti-DDoS Solution

NSFOCUS Anti-DDoS Solution covers traffic detection, attack traffic cleaning, threat visibility, proactive global threat intelligence and centralized management.  It is powered with up-to-date technologies, including AI-enabled protection algorithms, global DDoS threat hunting, DDoS attack source traceback, and threat actor profiling.   

NSFOCUS Anti-DDoS System is a dedicated security product that accurately identifies and cleans mixed DDoS attack traffic in the network. It can solve the following business availability issues caused by DDoS attacks:

  • The Internet server fails to provide services normally because the network link is clogged.
  • The business server is paralyzed with no or little response.
  • The performance of network infrastructure such as routers and firewalls plummet, resulting in users’ internet access being affected.

NSFOCUS Anti-DDoS products use different algorithms, including traffic modeling, anti-spoofing, protocol stack behavior pattern analysis, specific application protection, user behavior pattern analysis, and dynamic fingerprint identification, to accurately identify different types of DDoS attacks and block malicious DDoS messages while letting legitimate traffic go through.

As large-scale DDoS attacks become common today — one DDoS attack larger than 100 Gbps happens every hour on average, as stated in the NSFOCUS Global DDoS Attack Landscape 2022 report, organizations must have a plan to defend against such destructive attacks.  NSFOCUS Intelligent Hybrid DDoS Mitigation Solution allows users to quickly access NSFOCUS Cloud DDoS Protection Service (DPS) when a volumetric DDoS attack is detected.

NSFOCUS DPS is supported by 8 super scrubbing centers capable of mitigating attacks even larger than the massive, record terabit attack. By using the Anycast technology, NSFOCUS is capable of combining near-source traffic scrubbing with service nodes across the globe. NSFOCUS also has a global backbone service network that provides support for customers through the nearest service node with the lowest latency and maximum stability. NSFOCUS Cloud DPS Service provides 24/7 service in multiple languages to assist customers with security management and emergency response against attacks.