[fw-wiz] ***SPAM*** Re: Firewalls that generate new packets..

Let's lower the testosterone, tease out the two discussions that are running in parallel and find some useful points to share.

I hope we agree that:

1) stopping DDOS attacks directed AT you, from multiple (spoofed) sources, is something few firewalls can do if the attack is large/amplified/sustained. It's hard even with additional security measures, and cooperation from upstream providers. If someone really wants you badly and has the "connections" (pun intended) he can make life pretty miserable for you irregardless of the firewall you use. [Anycasting helped root name servers withstand DDOS amplification attacks, perhaps this is promising for other applications.]

2) preventing hosts protected by a firewall you administer from acting as sources for (1) is something firewalls can do (at least in a limited capacity).

My experience is that many firewall admins worry about (1) more than (2) in part because DDOS attacks are familiar to the culture and the effects of a DDOS attack directed at your organization often has a financial and reputational impact. Only recently are botnets, fast flux hosting, and other attacks earning "pop news" attention, so until recently, dedicated and earnest security practitioners have encouraged (2).

Darren Reed wrote:
Darden, Patrick S. wrote:

No offense, but both of you are wrong.
Properly configured, a simple firewall
CAN prevent most DOS attacks.

Check out this SANS bulletin on "Defeating DDOS". Yes, that is my
name in the credits. Special task
force back in 2000. Sigh, and still
people don't know that you can use
a simple firewall to defeat most
DOS attacks... as long as you are
protecting the world from YOUR network.

I see nothing in that article that explains how a firewall
can be used to defend against a DOS (or DDOS) attack.

All I see is how to avoid yourself from being used as the
source of one - where source IP addresses are forged.

When I've got an army of 100,000 pc's scattered around
the globe ready to try and connect() to your web server
(without spoofing an IP#), how does anything in that
article help?


firewall-wizards mailing list

fn:David Piscitello
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926

firewall-wizards mailing list