How to Protect the Stateful Firewall from DDoS

Watch this demo to see NETSCOUT’s Arbor Edge Defense (AED) in action:

  • Learn why firewalls are not designed to stop DDoS attacks – especially state exhaustion attacks.
  • Learn why other stateful devices such as VPN concentrators, load balancers or IPDS are also susceptible to state exhaustion DDoS attacks.
  • Deployed in front of the firewall, using stateless packet processing technology, see AED protect a firewall from an inbound state exhaustion DDoS attack.
Protecting the Stateful Firewall

The modern-day firewall is a common and very important component of the network security stack. With its position at the edge of the network, the firewall it is asked to do many things beyond just blocking network connections such as conducting NAT, VPN termination, virus and malware protection and even DDoS protection. With each additional task the firewall is being taxed and pushed beyond its limits or design. This is especially true when it comes to DDoS defense.  Due to the stateful nature of a firewall, its is very susceptible to state exhaustion DDoS attacks. When pushed, firewall vendors will recommend that you do not rely upon the firewall for DDoS defense. Instead they and industry best practices recommend a dedicated, stateless DDoS protection solution be deployed in front of the firewall to protect it and the services behind it.

NETSCOUT’s Arbor Edge Defense (AED) is such a solution. Deployed on-premises, in front of the firewall and using stateless packet processing technology, AED can stop all types of DDoS attacks – especially state exhaustion attacks  that threat the availability of the firewall and other stateful devices behind it.  AED can acts as a first line of defense to also block non-DDoS attacks such as  inbound scanning or brute force attacks taking load off the firewall. AED can also act as a last line of defense to block outbound IOCs that have been missed by the firewall.

What is stateless DDoS protection?

Network-based cybersecurity solutions use two different methods of packet inspection.  

  • Stateful inspection - Also known as dynamic packet filtering, is a technology used in most next generation firewalls or intrusion detection/prevention systems. This method of inspection monitors the state of known active connections and uses this information to determine which network packets to allow through or block. This sort of protection is good for blocking access to specific applications, port scans, etc.
  • Stateless inspection - With this method, the packets are either allowed entry onto the network or denied access based on either their source or destination address, or some other static information such as a particular value on a packet header. (e.g. Header RegEx). This method os inspection doesn’t track individual connections / session, but makes a “go / no go” decision on a packet-by-packet basis.  This type of inspection is better for detecting and blocking DDoS attacks (i.e. TCP-state exhaustion) and blocking reputational-based IoCs in bulk.

Schedule a live demo by contacting us today.

Related Resources


Arbor Edge Defense

Intelligently Automated, Hybrid DDoS Protection and Perimeter Defense

Contact us today to schedule a live demo!