Press "Enter" to skip to content

Why Firewalls and Intrusion Prevention System fail to mitigate DdoS Attacks

Kanishk 1

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. In order to secure their assets, organization’s security team rely on firewall, intrusion prevention system (IPS) and application firewall (WAF) to prevent breach of the CIA triad. Firewalls is a policy enforcer that prevents unauthorized access to data and services whereas IPS block break-in attempts aimed at data theft and corruption. While these security controls are essential elements to a sound security strategy, contrary to common belief, they are ill-equipped to mitigate modern day DdoS attacks. Why? Because, they were never designed to mitigate loss of network/service availability.

It’s in their Design

DdoS attacks are aimed to disrupt the normal functioning of a system by depleting its resources till it is unable to serve its users resulting in down time or loss of availability. As inline stateful devices, firewalls and IPS track all connections for inspection and store them in a connection table. Every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection. The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a DDoS attack may include thousands of packets per second. As a result, even before your servers give in to DdoS, it is likely that the firewall or IPS are already toasted.

What about the big picture? 

Firewalls and IPS only examine individual sessions. DDoS attacks such as HTTP floods, are composed of millions of legitimate sessions. Each session on its own is legitimate and it cannot be marked as a threat by firewalls and IPS. For instance, Sockstress is a DdoS attack tool that opens multiple TCP Sessions and does not send any data over them. How will firewalls and IPS mark them as a threat if no data is exchanged between the client and the server?
Firewalls and IPS do not start inspecting the session until the request is complete. Low and Slow DdoS attack such as Slowloris and R.U.D.Y. opens long running sessions with the web server that never complete their HTTP request. When too many of such requests bypass them, web servers stop taking in more requests – causing DdoS.

Fill the white spaces with HaltDos

HaltDos focusses exclusively on availability threats such as DdoS attacks. It does not replace your firewall and IPS but augments them so that they can do their work without worrying about getting overwhelmed. Data centers and enterprises can deploy HaltDos in front of their firewall and IPS devices to also stop other application specific attacks and botnet communications and ensure continuity of service with zero downtime.


If you have any questions regarding our blog, we’d love to hear from you. Write your comments below or contact us at: Contact HaltDos

  1. Alpha Jernigan Alpha Jernigan

    Great post. I was checking constantly this blog and I am impressed! Very helpful info specially the last part I care for such info a lot. I was seeking this particular info for a very long time. Thank you and good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *