Why Firewalls Are Targets for DDoS Attacks

Why Firewalls Are Targets for DDoS Attacks
Tom Bienkowski

Many cybersecurity companies rely on devices such as firewalls, virtual private networks (VPNs), load balancers, and other edge devices to protect enterprise networks from distributed denial-of-service (DDoS) attacks. But the reality is that such devices contain “state” information that’s used for routing and traffic management.

To understand the vulnerability of stateful devices, it’s helpful to look at one of the oldest types of DDoS attacks still in use today: TCP flood attack, which is one example of a broader category of state exhaustion DDoS attacks. TCP flood attacks most commonly are used to send numerous—or floods of—SYN packets to start a TCP connection to a server. The client and server then exchange a series of messages in this fashion:

  1. Client (which is not a legitimate user and more likely a DDOS attack tool) requests a connection by sending a synchronize (SYN) message to the server
  2. The server records the request for connection in a finite sized TCP state table and acknowledges the request by sending the client a synchronize-acknowledge (SYN-ACK) message
  3. Because the client is not a legitimate user, it never responds with an ACK. However, the TCP connection in the TCP state table remains open for a period of time.

Because each SYN packet uses up device resources (e.g. memory used to keep track of connection I the TCP state table), attackers simply flood the device with so many SYN messages that it eventually fills the TCP state table and stops accepting new connections. Although that might sound like a pretty simple attack with little payoff, nothing could be further from the truth.

According to the 1H 2021 NETSCOUT Threat Intelligence Report, TCP ACK flood attacks were the most common types of DDoS attacks, accounting for more than 1.4 million attacks in the first half of the year. To put that into perspective, DNS reflection/amplification attacks were the most common types of DDoS attacks for the previous two consecutive years. However, there were 19 percent more TCP-based flood attacks than reflection/amplification attacks in 1H 2021, indicating that attackers have no problem using old-school tactics to get at the enterprise resources they’re looking to nab.

Firewalls: A Sad State of Affairs

One of the top targets for such attacks is the enterprise firewall. At first glance, that seems counterintuitive, because firewalls often are touted as being capable of stopping DDoS attacks. The reality, however, is much grimmer.

Traditionally, firewalls are designed to monitor states of network traffic, using stateful packet inspection (SPI) to make decisions about the risk from incoming traffic and resource requests. But the stateful nature of firewalls makes them susceptible to state-exhaustion attacks such as TCP flood attacks. Moreover, they don’t provide visibility into DDoS attack traffic or communicate well with cloud-based solutions to mitigate such attacks.

NETSCOUT’s annual Worldwide Infrastructure Security Report (WISR), which delivers insights from a global survey of network, security, and IT decision-makers across enterprise and service provider organizations, pinpoints the seriousness of stateful attacks against firewalls. In the 16th annual WISR, more than half of respondents said their firewalls failed to protect from—or even contributed to—outages from DDoS attacks. Adding further insult to injury, 83 percent said their firewalls contributed to network and services outages and/or crashed during a DDoS attack.

The Solution: Intelligent, Stateless Mitigation

The only way to stop DDoS attacks against firewalls is to implement an intelligent DDoS mitigation solution that operates in a stateless or semi-stateless manner and integrates the following features:

  • Predominantly uses stateless packet processing technology.
  • When stateful inspection is required, makes use of an ephemeral challenge to determine the legitimacy of the connection.
  • Is deployed on customer premises, north bound of stateful firewall, VPN gateway and other stateful devices.
  • Easily integrates into the cybersecurity stack

To learn more about the inherent weaknesses of stateful devices such as firewalls, read our white paper Enemy of the State: Why DDoS Attacks Against Stateful Devices Have Massively Increased—and What to Do About It.