I came across a firewall-wizards mailing list thread on DDoS from 2007 that reminds me of how long infosec practitioners have been encouraging, cajoling, or pleading with organizations and access providers to do their part to mitigate DDoS attacks. In a 28 November 2007 thread, Patrick Darden explains that:
Properly configured, a simple firewall CAN prevent most DOS attacks.
Check out this SANS bulletin on "Defeating DDOS". Yes, that is my name in the credits. Special task force back in 2000. Sigh, and still people don't know that you can use a simple firewall to defeat most DOS attacks... as long as you are protecting the world from YOUR network.
...
http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e
Note the date of the SANS report. In that 2000 report we find this still relevant - and still largely under-implemented measure as Step 1:
Step 1: Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network
Not surprisingly, the March 2000 posting of this report nearly coincides with the publication of Internet Best Common Practices (BCP) 038, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.
Fast forward to 2006. ICANN's SSAC report SAC008 DNS Distributed Denial of Service (DDoS) Attacks describes attacks against root system and top level domain name servers, and makes the same recommendation (see my summary, Do More to Prevent DDoS Attacks).
In 2007, the infosec community is still struggling to convince organizations that egress filtering is, as Paul Vixie asserted here, "Edge source address repudiation -- the dropping of packets with invalid source addresses upon their ingress across a network edge -- has more immediate beneficial impact than improving PC security."
One reason why infosec struggles with this message is that "beneficial" is not obviously "self-beneficial"; as evidence that such skepticism impedes adoption, here's another message from that 28 November 2007 thread:
I see nothing in that article that explains how a firewall can be used to defend against a DOS (or DDOS) attack.
All I see is how to avoid yourself from being used as the source of one - where source IP addresses are forged.
When I've got an army of 100,000 pc's scattered around the globe ready to try and connect() to your web server (without spoofing an IP#), how does anything in that article help?
My thinking then and now is that, if your organization is not implementing BCP 038 - if your firewall is not actively checking for spoofed source IP addresses in traffic that emanates from your network, PCs on your network will inevitably be among that army of 100,000+ PCs. My comment to the list (then):
1) stopping DDOS attacks directed AT you, from multiple (spoofed)
sources, is something few firewalls can do if the attack is
large/amplified/sustained. It's hard even with additional security
measures, and cooperation from upstream providers. If someone really wants you badly and has the "connections" (pun intended) he can make life pretty miserable for you irregardless of the firewall you use. [Anycasting helped root name servers withstand DDOS amplification attacks, perhaps this is promising for other applications.]
2) preventing hosts protected by a firewall you administer from acting as sources for (1) is something firewalls can do (at least in a limited capacity).
My experience is that many firewall admins worry about (1) more than (2) in part because DDOS attacks are familiar to the culture and the effects of a DDOS attack directed at your organization often has a financial and reputational impact.
Reconstruct the chronology of the Spamhaus or any recent DDoS attack and you'll see that neither Spamhaus, the financials, or nation-states were able to mitigate attacks without assistance, and certainly not relying on firewalls alone. To stop DDoS attacks directed AT you, you'll need a plan and partners (see my post, Preparing for the Inevitable DDoS Attack).
DDoS attacks are orders of magnitude larger and more frequent in 2013 than ever. The DDoS problem never be mitigated if every organization and every Internet access provider only implements measures that are self-beneficial. If you only see egress filtering as a way to help others, you've failed to understand the nature of the problem and the solution.
Comments
You can follow this conversation by subscribing to the comment feed for this post.