Security professionals are under extreme pressure to stop a dizzying array of threats against their organizations. Said one Arbor client, “ … I feel like I’m in a constant gun fight with an enemy that is surrounding me and completely stealth.”
The nature of security these days is often just trying to make the most educated guesses as quickly as possible – starting with a firewall. Why not go with what’s tried and true? The firewall is there to stop bad people from sending anyone in the organization bad information. Furthermore the ‘next generation’ firewalls that vendors provide these days claim to stop DDoS attacks, too. Check. All set: on to the next problem.
Unfortunately, this is where many organizations fail. The reality is that while vendor firewall security may stop some DDoS attacks – in other cases they can make matters worse.
Firewalls are required to track state, which makes them extremely vulnerable to certain types of DDoS attacks. Modern day attackers know this all too well and commonly deploy TCP state exhaustion attacks that are designed to fill state tables of firewalls. When this happens, the performance of legitimate traffic flowing through the firewall will be greatly slowed or worse — stopped all together, thus completing the DDoS attack for the attacker.
In addition to a firewall, organizations need purpose-built, dedicated DDoS protection solutions that are constantly armed with up-to-date threat intelligence — otherwise known as Intelligent DDoS Mitigation Systems (IDMS). Today DDoS attacks are a dynamic combination of:
- Large volumetric attacks;
- TCP state exhaustion attacks; and
- Stealthy, low and slow application-layer attacks.
Taking a layered approach provides the most comprehensive protection:
- Volumetric attacks must be stopped in the cloud. In other words: using your ISP or MSSP.
- TCP and application-layer attacks should be stopped with purpose-built, stateless, DDoS protection devices, on-premise, closer to where you can control and protect your most critical services.
- Due to the dynamic multi-vector nature of modern day DDoS attacks, there must be an intelligent form of communication between the in-cloud and on-premise solutions.
- Finally, solutions must be constantly updated with the latest and greatest threat intelligence.
For other common misconceptions about DDoS, click here.
You wouldn’t think about bringing a water balloon to a gun fight right? Or is this possibly just another common misconception? Check out the video below — you may be surprised.
The post A Firewall is a Water Balloon in a Hacker’s Gun Fight appeared first on Arbor Insights - Our People, Products and Perspective.