[c-nsp] DNS rewrite & global capabilities

Quinn Mahoney quinn at activehost.com
Wed Jul 1 00:02:10 EDT 2009 

These claims depend on the level of attack.  Firewalls do have features,
for instance, they can proxy a tcp-syn connection and not send it to the
server if it doesn't get an ack.  If the firewall can sustain the
attack, and the server doesn't have syn-cookies, this would be a
mitigation of a ddos by the firewall.  Also they obviously block
traffic, which is a security benefit.

Also, what if the attack has spoofed source addresses, and is evasive of
profiling.  In other words, what are you going to null route. The
ingress path of the attack packets would have to be traced and cut off
at the border of upstream providers, killing legit traffic as well.
While the real sources are hunted down, this would be the effort to
mitigate the attack.  An advanced firewall or load balancer (that
multiplex's the connections) would be able to mitigate this attack.

So to me, it doesn't look like a one thing fits solution.



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roland Dobbins
Sent: Monday, June 29, 2009 10:17 AM
To: Cisco-nsp
Subject: Re: [c-nsp] DNS rewrite & global capabilities


On Jun 29, 2009, at 8:33 PM, Jonathan Brashear wrote:

> t seems like the ability to rewrite DNS against certain DDoS attacks

Marketing claims aside, firewalls have no utility whatsoever in terms  
of defending against DDoS attacks, and actually tend to make the  
situation worse and the server behind them *more* vulnerable to DDoS,  
and not less, due to the limitations of the stateful capacity they  
embody.

You'd be far better off using S/RTBH as a reaction tool, and depending  
upon your application and its importance/scale, may wish to  
investigate other tools intended to protect firewalls and the things  
behind them from DDoS (full disclosure; I work for a company which  
makes such tools).

But even more than that, putting your public-facing DNS (or any other  
kind of server) behind a firewall is a very serious architectural  
mistake; firewalls in front of public-facing servers provide no  
security value whatsoever, and degrade the overall security posture  
due to the issues denoted above.  Far, far better to bring your public- 
facing DNS servers out from behind the firewall, employ all the  
various host- and application-/service-specific BCPs, ensure your DNS  
architecture is properly designed and scaled, and make use of S/RTBH,  
et. al. to deal with DDoS.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list