On Tue, Feb 1, 2011 at 2:25 PM, David Burgess <[email protected]> wrote: > An article popped up on /. today, and although it's a poorly written > article, some of the ensuing discussion did provoke some thought. > > http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse > > I think the article is mostly just scare marketing, but it raises the > question of how a firewall would best react to a DDOS scenario.
The article would be more accurate to say "network components that are inadequately sized or configured to handle a DDoS attack make them worse". I've seen DDoS attacks with a packet rate to kill a Cisco router at the edge with as simple of a routing configuration as can possibly exist, but not nearly enough to kill the firewall sitting behind it. For most of us, it matters none, we simply don't have enough bandwidth, unless it's a lame attacker or you have a 10 Gb Internet pipe (even that wouldn't be nearly enough for some attacks). >From experience fighting a number of DDoS attacks, what generally happens is they'll throw enough at you to knock you offline, whatever that takes. If you're running with a default 10000 state table that doesn't take much. Increase that and the attack gets bigger. At which point you may max out your hardware's ability to handle states. Drop in a box with more RAM and a much bigger state table, PF state timer tweaks that can help when you have very high rates of state insertions and deletions, and the attack gets bigger still - usually at this point exhausting your Internet bandwidth. At which point you're stuck, your ISP has to help you, nothing you put in place is going to relieve the fact that your pipe is full. Usually they'll blackhole route the affected IP so all your other IPs can function normally, and may do other things depending on their infrastructure and the specific attack. That's oversimplified a bit, but they've all followed that same line. If not properly sized and configured to handle a DDoS of the scale you may see in your environment, yes your firewall is probably going to be the first thing to fall over (unless you have an inadequate router in front of it). But it really doesn't matter as if it does stand up, experience at the level that virtually all of us are responsible for (1-2 Gb Internet at most), they're going to kill your connection regardless of what you have behind it. If you're Google, Facebook, Yahoo, etc. yeah, you don't want firewalls in front of your web farm. If you have a few hundred servers or less (varying depending on specifics of the environment), it virtually never matters, make sure you have decent settings in place to handle as much as possible, and have a good relationship with your provider and discuss with them in advance what they will do to help if you're hit with a DDoS, and don't worry about it. Having a firewall as a single ingress and egress point into small to mid sized hosting environments is beneficial for many reasons, and properly sized and configured it's not going to leave you any worse off when under DDoS attack than you're going to be anyway. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
