May 26th, 2017

3 Reasons Why a Firewall Won’t Save You Against a DDoS Attack

It should go without saying that not all distributed denial of service (DDoS) defenses are created equal. Whether it’s a web application firewall (WAF), content delivery network (CDN) or traditional firewall, every “defense” has its own purpose, potential and peril.

Can firewalls prevent denial of service attacks?

Over the past couple of years, we’ve seen a steady number of organizations use firewalls to mitigate DDoS attacks. The reasoning, they claim, is that firewalls can be updated to provide protection against DDoS attacks. But the problem is firewalls were not designed or built to withstand large-scale DDoS attacks.

Without getting too technical, it’s important to note what a firewall does. Firewalls provide perimeter access control by monitoring and tracking permitted network traffic flows. In many ways, a firewall plays the role of a network’s traffic cop. It allows the good packets to proceed unimpeded and blocks bad packets from gaining access to your network.

Firewalls can be helpful in detecting an incoming DDoS attack, but it can’t do much to defend against the attack. Here are three reasons why:

1. Firewalls can be easily overwhelmed and rendered useless

Firewalls — and other on-premises hardware — have limited bandwidth, which includes the size of the circuit coming into the enterprise. Many organizations have anywhere from 1 to 5 Gbps worth of bandwidth from their internet service providers (ISPs), which sounds like a good enough number. But when you consider that the average size of a DDoS attack is 6.63Gbps, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.

2. Firewall Rules Management

Firewall rules management is a dangerous way to fend off DDoS attacks because firewalls can be fooled if the strike initially appears to look like it's legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls. Firewalls should be thought of as an element of a defense strategy, not a complete solution.

3. Not all targeted assets are behind a firewall

Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services cannot be protected by on-premise firewalls with updated rule sets. If the DDoS attack on the DNS is successful, there is no web presence and no application availability. Needless to say, that's not good.

So, what works?

Increasingly, industry experts are recommending that organizations use a comprehensive DDoS mitigation solution that’s capable of providing cloud-based protection should the attacker attempt to overwhelm the existing on-premise defense. And as attackers continue to shift and refine their tactics, solely relying on a firewall solution creates a dangerous proposition.

DDoS attacks represent an unfortunate reality for today’s companies, stinging 84% of businesses worldwide. DDoS attacks are no longer a matter of if a company will get hit, it's now a question of when, how often and how long.

To learn more about our comprehensive DDoS mitigation offerings and techniques, feel free to visit our Security solutions homepage. 

Let's Connect

Find out how Neustar can help you succeed in the connected world.

Contact Us   Give us a call 1-855-898-0036