In a recent interview with the GovCyberHub, NETSCOUT’s Richard Hummel spoke about the common misconception that firewalls protect federal government agencies’ networks against DDoS cyberattacks. He explained that, “Firewalls do little to protect against a DDoS attack and are designed for other types of cyber threats like exploitation and brute-forcing attacks.”
If this is the case, then how can federal agencies properly protect their network infrastructures from these attacks that are only getting more complex, sophisticated, and powerful?
Last month, NETSCOUT’s Director of Product Marketing, Tom Bienkowski, hosted the “What’s Protecting Your Firewall?” webinar, to examine why firewalls aren’t designed to stop DDoS attacks, as well as provide the answer on how to effectively protect firewalls against this type of threat.
Firewalls are not silver bullets
Bienkowski opened the webinar by reviewing the “Security Triad,” which is comprised of confidentiality, availability, and integrity. Firewalls fall under the confidentiality component of the triad, but over the years firewalls have been pushed to do and be more than what they were originally designed to be.
“Bienkowski explained that even industry analysts and firewall vendors themselves recommend that organizations do not use firewalls for DDoS protection.”
A modern-day firewall is now viewed as a security stack consolidator, expected to enforce policy, antivirus protection, spyware detection, VPN termination, sandboxing, and DDoS protection. But as Bienkowski explained throughout the webinar, firewalls are not designed to adequately provide DDoS protection, leaving federal government agencies open and vulnerable to DDoS attacks.
And even in cases when firewalls do block threats, they do not give the proper visibility or context to what was blocked, further cementing the fact that firewalls are not designed for DDoS detection and protection. Bienkowski explained that even industry analysts and firewall vendors themselves recommend that organizations do not use firewalls for DDoS protection.
State of DDoS
To provide a better understanding of the threat that today’s DDoS cyberattacks pose to federal government agencies, Bienkowski reviewed recent DDoS statistics from NETSCOUT’s Threat Intelligence Report.
“DDoS attacks grew in bandwidth, throughput, and efficiency. Due to their growth in sophistication, attacks no longer required long durations to have an impact on organizations.”
In 2020, there were more than 10 million DDoS attacks, which represents a 20% increase from 2019. During last year’s pandemic lockdown period, alone, attack frequency saw an increase of 25 percent. And as attack frequency increased, so did the complexity of DDoS attacks. Last year, there was a staggering 2,851% increase in DDoS attacks that utilized 15 or more attack vectors.
As the year went on, DDoS attacks grew in bandwidth, throughput, and efficiency. Due to their growth in sophistication, attacks no longer required long durations to have an impact on organizations, resulting in attack frequency dropping by 51 percent.
This observed growth in DDoS complexity poses major risks to federal agency cybersecurity infrastructures. And as Bienkowski pointed out, firewalls are not the solution to thwarting these types of DDoS threats.
Design of a DDoS attack
Bienkowski then took a deep dive into the different types of DDoS attacks that government agency firewalls are currently facing.
“When a DDoS attack is executed, all three of these types of attacks are occurring simultaneously, further reinforcing the need for more complex, intelligent, and automated DDoS attack protection solutions.”
The first is an application layer attack. Application layer attacks are long, slow, and designed to exhaust resources and application, web, and database servers. And since they don’t violate any protocol rules, they are extremely stealthy and difficult to recognize.
When resources are pushed to exhaustion during an application layer attack, applications slow and are ultimately denied. Bienkowski explained that application-layer attacks are just as powerful as volumetric attacks, which are also designed to saturate bandwidth. These attacks can become as large as multiple terabits per second, saturating internet-facing circuits and denying anything beyond that circuit.
Another type of attack that Bienkowski examined was a TCP state exhaustion attack. These attacks are designed to impact stateful devices like firewalls. He noted that there are many stateful devices within agencies’ network cybersecurity stacks, which are extremely vulnerable to DDoS attacks.
Bienkowski explained that when a DDoS attack is executed, all three of these types of attacks are occurring simultaneously, further reinforcing the need for more complex, intelligent, and automated DDoS attack protection solutions for federal government agencies.
Stateless protection is the solution
According to Bienkowski, the solution to effectively protect federal agency network firewalls essentially comes down to stateful versus stateless protection. He emphasized that both are needed.
“NETSCOUT is not the only cybersecurity firm recommending this type of protection. According to Bienkowski, all the major industry analysts are recommending this as well.”
He explained that stateful inspection is what next-generation firewalls use to analyze active connections and that it’s extremely effective at blocking access to specific applications, which is what today’s firewalls require.
In stateless inspections, there is no concept of an active connection. Instead, each individual packet is analyzed, and then an “accepted” or “denied” decision is made on a per-packet basis. Bienkowski explained that stateless inspection happens in front of a firewall, and it’s much better at blocking certain types of DDoS attacks due to its invulnerability to those sorts of threats.
Essentially, the solution to effective firewall protection is to add stateless protection in front of the stateful cybersecurity stack. Meaning that stateless protection will be the first line of defense for an agency’s next-generation firewall.
He went on to explain that NETSCOUT is not the only cybersecurity firm recommending this type of protection. According to Bienkowski, all the major industry analysts are recommending this as well. He explained that industry analysts agree that stateful devices like firewalls are not the most effective form of security and that they are extremely vulnerable to state exhaustion attacks.
Bienkowski went a step further and quoted a whitepaper from a well-known firewall vendor that states “…deployment of dedicated anti-DDoS protection in addition to the firewall is highly recommended.” And among those anti-DDoS solutions include NETSCOUT’s Arbor Edge Defense (AED), a stateless packet processing device that sits on-premise, just inside the internet router and outside the firewall, where it stops inbound DDoS attacks, inbound scanning and probing activity, etc. It also can act as a last line of defense for blocking outbound indicators of compromise.
When large DDoS attacks saturate the internet-facing circuit, there is a feature inside AED called “cloud signaling.” Cloud signaling is essentially a call for help upstream in the cloud, either from an ISP, or a cloud service where an agency will conduct cloud-based DDoS protection of those large volumetric attacks.
Bienkowski explained that these protective measures happen instantaneously, seamlessly, and intelligently. When a government agency puts AED—or some sort of stateless protection asset— in front of their firewall, they are greatly increasing their network infrastructure’s security and stopping DDoS attacks in their tracks.