Firewalls protecting Web servers may actually make distributed denial-of-service (DDoS) attacks worse, a new report argues.
Arbor Networks’ just-released 2010 Infrastructure Security Report says that placing firewalls – software or physical devices that filter incoming and outgoing Internet traffic – in “front” of Internet-facing servers just creates bottlenecks that make DDoS attacks more efficient.
DDoS attacks work by bombarding websites with billions of bogus requests for information, overwhelming a site’s servers and preventing it from responding to legitimate visitors.
Putting a firewall at the point of entry creates an easy-to-fill choke point, Chelmsford, Mass.-based Arbor said, whereas the servers might better be able to handle the load.
“They [firewalls] should not be placed in front of servers,” Arbor’s Roland Dobbins told Techworld. “Folks do it because they have been programmed to do it.”
While DDoS attacks are blockades and not actual hacks and usually leave little lasting damage, they can cost millions in lost business and overtime to affected companies and organizations. Cybercriminals can also use them to hold sites “hostage” until a ransom is paid.
Recent DDoS attacks launched by the online “hacktivist” group Anonymous against PayPal, MasterCard, Amazon and the governments of Egypt, Tunisia and Zimbabwe have gotten media attention because of their ostensibly political motives. But thousands of DDoS attacks every year are not disclosed.
Arbor also notes that the biggest DDoS attacks reached a colossal 100 gigabits per second this year, twice the size of 2009’s largest attacks and 10 times as large as 2005’s biggest. The report ascribes this to a cybersecurity arms race, in which better defenses force attackers to build better DDoS engines.
But there’s a weak spot: While security on PCs and servers is very good, mobile-phone networks, which are after all made up of millions of handheld computers, “are almost a decade behind,” Dobbins said.
- ‘Anonymous’ Hacktivists Attack Egyptian Websites
- Kaspersky Anti-Hacker
- Russian Cybergang May Be Using WikiLeaks for Cover