Cybersecurity companies use tools like firewalls, VPNs, load balancers, and other devices to protect networks from DDoS attacks. However, these devices have information called "state" that is used to manage traffic and routing. This information can make the devices vulnerable to DDoS attacks. One type of attack, called a TCP flood attack, tries to overwhelm a server by sending a lot of fake requests for connections. The server responds to these fake requests and tries to keep track of them, but the attacker never actually finishes the connection. This can use up the server's resources and make it unable to handle any more requests. This might seem like a small and simple attack, but it can actually be very harmful.
According to the 1H 2021 NETSCOUT Threat Intelligence Report, during the first half of 2021, the most common type of attack that tried to make websites or servers unavailable was called a TCP ACK flood attack. These attacks happened more than 1.4 million times in the first half of the year. In the past, a different type of attack called a DNS reflection/amplification attack was the most common, but TCP ACK flood attacks were 19% more common in the first half of 2021. This means that attackers are still using old tactics to try to access resources they want to steal from.
Firewalls: Common Target
Firewalls are a common target for attacks that try to make websites or servers unavailable. At first, this might seem strange because firewalls are supposed to stop these types of attacks. However, firewalls are actually vulnerable to attacks that use up their resources, like TCP flood attacks. Firewalls also don't do a good job of detecting and stopping these types of attacks or working with other technologies that can help prevent them. A study of people who work with networks and security found that more than half of them said their firewalls failed to protect them or even made things worse during an attack. An even larger number, 83%, said their firewalls caused problems or crashed during an attack.
The Solution
Firewalls can only be protected from DDoS attacks by implementing a DDoS mitigation solution that works in a stateless or semi-stateless manner and incorporates the following features:
- Predominantly uses stateless packet processing technology.
- When stateful inspection is required, makes use of an ephemeral challenge to determine the legitimacy of the connection.
- Is deployed on customer premises, north bound of stateful firewall, VPN gateway and other stateful devices.
- Easily integrates into the cybersecurity stack
You can learn more about the inherent weaknesses of stateful devices such as firewalls in Netscout's white paper Enemy of the State: Why DDoS Attacks Against Stateful Devices Have Massively Increased - and What to Do About It. Click the button below to access it.
If you are under attack, or have any questions, reach out to us here.