Saturday, February 23, 2008

Are firewalls susceptible to DDOS?

Answer is : Many of them.

Packet filters are thing of past. Firewalls today are stateful inspection firewalls or proxy firewalls. In both cases, they maintain state information in sessions. Sessions are created for TCP/IP connections. These firewalls maintain ACL - Access control Lists - configured to implement company policies. First packet of any TCP/IP connection passing through firewall device is validated against ACL. If ACL rule allows the connection, then rest of packets of connection are allowed to pass through the firewall device.

Some of the firewall devices in the market have additional functionality such as protection from DoS (Denial Of Service) attacks, complex application traversal functionality via Application Layer Gateways (ALGs) and source/destination Network Address Translation (SNAT and DNAT). Don't think that firewalls stop DDOS attacks effectively. Don't be fooled by literature. Some firewall devices don't even protect themselves from the DDOS attacks.

Since firewalls maintain states, they are susceptible to DDOS attack unless firewall vendor has taken enough precautions to provide functionality beyond 'Access Control'. Don't bet that all firewalls have functionality to defend against DDOS attacks. Before I proceed further recommending the features to look for in firewall to minimize DDOS attack impact, let me give a brief on DDOS attacks.

DDOS Attacks: DDOS attacks by definition are distributed Denial Of Service attacks. The attack is mounted from multiple external locations at the same time on to internal servers/services. It results in flood of packets and thus disturb service availability. Some of DDOS attacks when mounted smartly do not even require enough bandwidth for attackers.

Firewalls can't prevent DDOS attacks completely - Some attacks can be detected and prevented, some can be detected and further action needs to be taken manually. But it is very important that firewall devices themselves should not become victim of these attacks and firewalls are expected to minimize the impact of DDOS attack.

Some DDOS attacks are nontrackable. Source IP is spoofed in these cases. If source IP of the attack packets are spoofed, the response packets from the victim can't be routed to the attacker. Hence these attacks are mostly send multiple packets with one packet per connection to overwhelm the resources at the victim end. In case of TCP based connections, attacker can send large number of SYN packets with spoofed source IP addresses. This is called SYN flood attack. If firewall device does not have defense against this, attacker can overwhelm the TCP listen queue in server machines and also he/she can overwhelm the session table in firewall, thus the complete network behind firewall is unreachable for genuine users as long as SYN flood attack continues. Fortunately, many firewalls have mechanisms to defend from this attack. Firewalls implement SYN-Cookie defense mechanism to allow connection only if originator responds with next packet in TCP (ACK) to the packet firewall sends (TCP packet with SYN and ACK flags). Firewall do this without creating any session from its session table. If your firewall does not have this feature, then you better go for firewall device from some other vendor supporting this defense mechanism.

Next question to ask in selecting the firewall is DDOS defense mechanism when the attacker overwhelms the network with full TCP connections - that is, attacker responding with ACK and keeping the connection for a long time. This attack also can overwhelm the TCP protocol servers such as HTTP, SMTP, IMAP etc.. and also can overwhelm firewall session table. Since TCP connection is established with full 3-way handshake, source IP address is known and attacker tracking is possible via service providers. But, firewall device should log these events and provide log analysis for administrator to take up the case with their service providers. Reporting and analysis is one important aspect of selection of firewall device.

UDP is one tough nut to crack if DDOS attack is mounted on UDP Service. By sending packets with spoofed IP address, attackers can easily overwhelm services and firewalls. Best precaution to take is to stop all inbound UDP Services. But yet times, it is not possible for companies to block these services. Some popular servers use UDP - DNS, IKEv1/v2, SIP, RTP etc. RTP is not an issue for firewalls as it requires some other signaling protocol such as SIP, H.323 and MGCP to go first.

Unlike TCP, there is no connection establishment phase. Hence it is difficult to figure out whether it is genuine UDP packet or coming from attacker. But the UDP flood on one service and an internal machine should not bring down other UDP and TCP services. Firewall devices should protect its session table from using up all resources and also ensure to make other services available. That is, if UDP SIP Service is being flooded, UDP DNS service and other services should not get affected. IMO, firewall should provide mechanism to control maximum number of simultaneous sessions for each internal service/server combination and the rate at which connections are getting established. Firewalls also should provide mechanisms to reserve sessions for some critical services/server combination for critical users.

Unless firewall provide these defense mechanisms, they can't prevent DDOS attacks and many times can't protect itself.

In summary, good firewall device must:
  • Prevent from flood attacks such as SYN flood.
  • Detect source of attacks in cases where source IP can't be spoofed. Logging and Reporting is very important feature to look for.
  • Ensure availability of services even in cases where one of the services is being attacked. Session Table limit and reservation on per service/server combination and flexibility of configuration of same is very important to ensure availability of other critical services.

No comments: