Firewalls Make DDoS Attacks Worse - Slashdot

Slashdot is powered by your submissions, so send in your scoop

×

Firewalls Make DDoS Attacks Worse 217

Posted by CmdrTaco on Tuesday February 01, 2011 @02:10PM from the it-burns-me dept.

jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."

This discussion has been archived. No new comments can be posted.

Firewalls Make DDoS Attacks Worse

Search 217 Comments Log In/Create an Account

Comments Filter:

Long on Rhetoric (Score:5, Insightful)

by hduff ( 570443 ) writes: <hoytduffNO@SPAMgmail.com> on Tuesday February 01, 2011 @02:13PM (#35070154) Homepage Journal

Short on specifics.

Share
twitter facebook
Arbor Networks (Score:5, Insightful)

by Anonymous Coward writes: on Tuesday February 01, 2011 @02:18PM (#35070254)

Arbor Networks, the people who did this "study", sell DDoS solutions. Of course they're going to say that anything you do other than pay them to provide your solution is a bad idea.
Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).
Nothing to see here.

Share
twitter facebook
We're not always programmed... (Score:4, Insightful)

by Anonymous Coward writes: on Tuesday February 01, 2011 @02:20PM (#35070288)

We're forced to deploy "legacy" network firewalls by standards (such as the PCI DSS) or regulations (such as MA 201CMR1700). If you are confronted with an auditor without imagination your compensating controls are misunderstood and findings ensue.

Share
twitter facebook
Would you rather (Score:5, Insightful)

by D3 ( 31029 ) writes: <`moc.liamg' `ta' `gninnehddivad'> on Tuesday February 01, 2011 @02:22PM (#35070314) Journal

be taken offline by a DDOS or have your web server compromised by an exploit that has unfettered access to it? A DDOS will only cost me revenue while I'm not available. Having my server hacked will cost me downtime AND recovery costs. A real security person would take a risk based approach. In this case, the risk to other damages (i.e. server compromise, theft of credit cards, loss of customer confidence) is much higher than the risk of being down due to DDOS. I think Arbor are now making it onto my list of companies to avoid.

Share
twitter facebook
Flawed logic (Score:5, Insightful)

by Smallpond ( 221300 ) writes: on Tuesday February 01, 2011 @02:22PM (#35070326) Homepage Journal

Also don't build taller walls, because it just encourages attackers to bring taller ladders.

Share
twitter facebook
Re:Long on Rhetoric (Score:5, Insightful)

by Svartalf ( 2997 ) writes: on Tuesday February 01, 2011 @02:23PM (#35070336) Homepage

Looks like it. Single point of failure in a DDoS? If they choke your inbound pipe (the very definition of a DDoS...) having it on a DMZ or unprotected will not help prevent things from crushing your connectivitiy. In many cases, the Firewall can actually handle higher transaction traffic than the webserver can. If you're doing a load-balanced setup, he might be right, but that's not the premise he apparenly lead with.

Parent Share
twitter facebook
Re:Bad headline, too vague (Score:5, Insightful)

by RobertM1968 ( 951074 ) writes: on Tuesday February 01, 2011 @03:03PM (#35070988) Homepage Journal

The article says that poorly deployed firewalls and IPS systems create a single point of failure.
So do poorly deployed network cables, or poorly deployed almost anything that hosts rely on to handle all their traffic (power solutions, switches, etc). By the definition of what a firewall is supposed to accomplish, a poorly deployed one obviously creates a lot of problems or provides little protection.
Also, water is wet.

Parent Share
twitter facebook
Re:Long on Rhetoric (Score:0, Insightful)

by Anonymous Coward writes: on Tuesday February 01, 2011 @03:11PM (#35071092)

So basically what you're saying is that you have not the slightest clue how the internet, firewalls or networks in general work. And you seem to think that a port is somehow a physical thing.

Parent Share
twitter facebook
Re:Long on Rhetoric (Score:4, Insightful)

by passthecrackpipe ( 598773 ) writes: <passthecrackpipe AT hotmail DOT com> on Tuesday February 01, 2011 @04:29PM (#35072038)

In a surprise revelation, a vendor of anti-DDOS equipment claimed that everybody else is doing it wrong, and leaves several subtle hints that their own equipment and services are the only true defence against a concerted DDOS attack. In a further shocking comment, the article disclosed that almost everybody else is constantly under some form of DDOS attack, hinting that you might be next. As a final nail in the coffin of your amateurish "Network Security" the experts reveal that there is nothing you can do - the better you protect your systems, and the more traffic your current systems will be designed to handle, the more aggressive attackers will become.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

413 commentsChatGPT Leans Liberal, Research Shows
347 commentsAmazon CEO Says 'It's Probably Not Going To Work Out' For Employees Who Defy Return-to-Office Policy
327 commentsHotel Owners Start To Write Off San Francisco as Business Nosedives
323 commentsChina is Building Nuclear Reactors Faster Than Any Other Country
315 commentsChina is Calling in Loans To Dozens of Countries

The hardest part of climbing the ladder of success is getting through the crowd at the bottom.