You might argue that my headline is incorrect as WAFs can provide some level of DDoS protection. The reason I write this headline is that there are many people somehow treat firewall as panacea.
What is DDOS?
To start with, you have to understand there are two types of DDoS attack, they are volumetric DDoS attacks and non-volumetric DDoS attacks.
Non-volumetric DDoS attacks
If someone says firewall can help to protect you from DDoS attacks, they are actaully referring to non-volumetric DDoS attacks. Bascailly Attackers will try to send out a specifically crafted packets, causing your applications fail to respond to legitmative requests, or even crashing your applications.
One famous attack is called low & slow attack. When the server respond to the requests from the DDoS attack, attackers will manipulate the connection by send out response in a possible slowest rate, slightly under connection timeout to avoid connection reset. Since there is a connection limit, when these manupulated connection occupy all the available connections, legitmative request can neven establish connection to the server.
These kinds of non-volumetric DDoS attacks usually come with signitures, such as having the same source ip, same payload. Whenever Web Application Firewall (WAF) identify the signitures, it can block malicious requests from reaching your server.
Volumetric DDoS attacks
As the name implies, volumetric means the attacker is trying to send overwhelming traffic to your server. The objective of this attack is to exhaust your network bandwidth. There is no way to stop volumetric DDoS attacks. The golden rule is you have more available bandwidth than the bandwidth that attackers are capable to consume.
In reality, you won't have such amount of bandwidth available becuase you have to pay for it. While a big cooperation maybe owning 10Gb bandwidth, nowadays biggest DDoS attacks is talking about terabit level.
Think of a trillion of people (DDoS attacks) are surrounding your house (Server). Although they don’t have the key to enter your house (Firewall blocks the connections), your family members (Normal users) are also in trouble to enter your house because the road is super crowded now (Bandwidth exhausted). You can’t force these people to leave because the road is not owned by you. (Bandwidth is owned by ISP and you just pay for the right of using the bandwidth)
Where is the myth coming from?
To answer this question, I think of several possible reasons.
Firewall this word is too overloaded
There are many type of firewalls, it can be hardware firewalls, host firewalls (Windows Defender, iptables, ufw).
People sometimes interchange the word of WAF and firewall. However to laymans, most probably firewall means Windows Defender to them. It is common that the knowledge they preceived eventually becomes Windows Defender can mitigate DDoS attacks. It is a bit funny, the sad truth is that I have heard of similar statements multiple times in the past.
Use of inaccurate word
Use of Word should be accurate. However it does not always apply to real world conversation. To people who are familar with DDoS attacks, they often will use the word mitigate, i.e to mitigate DDoS attacks.
I have heard of many alternative words when people are talking about mitigating DDoS attacks, such as stop, prevent. These alternative words are really confusing (and also incorrect). It is not surprising that when people often say/hear stop DDoS attacks, they will really believe DDoS attacks can be stopped.
And now the statement becomes Windows Defender can stop DDoS attacks...
In practical there is no way to stop DDoS attacks, not to mention prevent DDoS attacks. Instead, DDOS protection focuses on minimizing the impact of DDoS attacks.
How to mitigate DDoS attacks?
Short version
Cloudflare.
Long version
There is a term called Script Kiddle. It refers to some amateur hackers using existing softwares to hack people for fun. There are lots of hacking tools off the shelf to initiate DDoS attacks. If you are suffering from volumetric ddos attacks, the truth is it might be just a young kid running hacking tools behind.
Initiating DDoS attacks is such easy and buying bandwidth is costly. Paying for companies (such as Cloudflare) who are specilaized in DDoS protection is a much more viable and cheaper choice. Moreover, these kind of DDoS protection ofter embedded with WAF capability. By subscribing to DDoS protection service, you have protection from both non-volumetric and volumetric DDoS attacks.
Conclusion
Please use these statements from now on.
WAFs can be used to mitigate non-volumetric DDoS attacks.
and
Contact DDoS protection service providers if you need to mitigate DDoS attacks.
Top comments (3)
Cloudflare is not the best option for anti-ddos. They have a good CDN, but it is better to look for protection elsewhere.
What will definitely protect you is a good protection provider. Spend your money on some G-core or AWS and "sleep well".
I agree, I use Gcore, I am very pleased. Excellent service and good customer care.