[fw-wiz] ***SPAM*** Re: Firewalls that generate new packets..



Let's lower the testosterone, tease out the two discussions that are running in parallel and find some useful points to share.

I hope we agree that:

1) stopping DDOS attacks directed AT you, from multiple (spoofed) sources, is something few firewalls can do if the attack is large/amplified/sustained. It's hard even with additional security measures, and cooperation from upstream providers. If someone really wants you badly and has the "connections" (pun intended) he can make life pretty miserable for you irregardless of the firewall you use. [Anycasting helped root name servers withstand DDOS amplification attacks, perhaps this is promising for other applications.]

2) preventing hosts protected by a firewall you administer from acting as sources for (1) is something firewalls can do (at least in a limited capacity).

My experience is that many firewall admins worry about (1) more than (2) in part because DDOS attacks are familiar to the culture and the effects of a DDOS attack directed at your organization often has a financial and reputational impact. Only recently are botnets, fast flux hosting, and other attacks earning "pop news" attention, so until recently, dedicated and earnest security practitioners have encouraged (2).


Darren Reed wrote:
Darden, Patrick S. wrote:

No offense, but both of you are wrong.
Properly configured, a simple firewall
CAN prevent most DOS attacks.

Check out this SANS bulletin on "Defeating DDOS". Yes, that is my
name in the credits. Special task
force back in 2000. Sigh, and still
people don't know that you can use
a simple firewall to defeat most
DOS attacks... as long as you are
protecting the world from YOUR network.
....
http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e



I see nothing in that article that explains how a firewall
can be used to defend against a DOS (or DDOS) attack.

All I see is how to avoid yourself from being used as the
source of one - where source IP addresses are forged.

When I've got an army of 100,000 pc's scattered around
the globe ready to try and connect() to your web server
(without spoofing an IP#), how does anything in that
article help?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Which Firewall?
    ... Please a DOS 6.2 machine on the net ... > with no services running and guess what ... ... Then there are man-in-the-middle attacks on open, ... A firewall may or may not help in this situation tho. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... Properly configured, a simple firewall ... CAN prevent most DOS attacks. ... "Defeating DDOS". ...
    (Firewall-Wizards)
  • Re: Lets hear from the pros
    ... There is not a lot you can do to stop a DoS, ... this traffic DDoS attacks would be a thing of the past). ... I have seen DDoS attacks bad enough to make an ISP unstable (these are ...
    (alt.computer.security)
  • Re: Dos attacks
    ... Most firewall appliances handle DOS attacks, most all of them are under ...
    (comp.security.firewalls)
  • RE: [fw-wiz] medical records, web server, & stateful firewall vs packet filter
    ... Maybe a simple packet filter would be ... less prone to DoS ... > firewall device like a PIX or ASA 5500 would offer better overall ... I think you're off-target to be worrying about DoS attacks over attacks that ...
    (Firewall-Wizards)