What type of firewall do i need to stop DOS attacks?

Posted on 2009-05-01
Last Modified: 2012-06-21
I operate a wireless ISP (WLAN) and have a fiber-optic backbone that provides service to a couple hundred subscribers. A few months ago, my provider (Surewest) called to tell me about a DOS attack that was coming through on my ip address. I use a Linksys RV016 router, which handled the traffic on the network very well prior to the DOS attack. Now, the DOS attack is overwhelming the router and causing a degredation in performance on my WLAN.
I know the attack is coming from the outside and the Linksys hardware firewall is doing okay, but i want to keep the attack from even getting to the router. I was looking at getting a Sonic Firewall, but my provider said that may stop some but it still may not be able to completely prevent the attack from overwhelming the router.
Is there a solution that anyone can recommend to prevent DOS attacks from overwhelming the router?

FYI- I do have public ip addresses and i use NAT. Ive tried to configure the firewall to "deny" certain port access and leaving just the basic ones open, like 80, 8080, etc. HOwever, it didnt seem to stop the attack. For example, in the log: "connection refused - policy violation TCP> on ixp1" and these happen every second, from some different ip -> to the same something.

Any insight would be greatly appreciated.
Question by:SkyHi_Bill
    LVL 17

    Expert Comment

    If you have a Cisco device you can read this guide from Cisco

    Additionally, I know that Microsofts ISA 2006 can detect dos attacks and block traffic from those ip addresses temporarily.
    LVL 3

    Expert Comment

    What you need is deep packet inspection, also referred to as Intrusion Prevention System (IPS).  Cisco units can offer this feature using their Intrusion Prevention System (IPS) in either the ASA firewall line or the Cisco IOS Router with Firewall Feature Set.  The IOS and ASA offer IPS capabilities, but you'll want to load the device with as much RAM as you can because IPS features will eat as much of it as it can and has been known to crash the firewall if too many signatures are active.  SonicWALL has similar features with their IPS implementation.  In either case you'll need to pay a yearly subscription to keep up the signature updates.  Using IPS you can configure violations to drop, reset, or alert a logging server.  If you're providing ISP services to companies, it would be worth your while to monitor your firewall for attacks like this.

    Expert Comment

    Shouldnt Surewest block this attack for you ?
    They should be able to block the packets even before reaching your border router, of course depends on how BIG is this attack...
    Anyway getting better equipement is a must have ...
    LVL 32

    Expert Comment

    Any firewall with stateful inspection properties would prevent the DOS for you. Now what it means is the firewall will take the hit. Look for TCP sync cookie in google for more information.

    LVL 23

    Expert Comment

    In addition to the above advice,I wish to add that your provider may be correct to some extent, sometimes you can not stop or recover from DOS attacks 100% without disrupting your service, if the attacks were executed properly , there are some advanced DDOS attacks, that if executed by attackers on a large scale could take down pretty much any host, something like distributed reflected denial of service (DRDOS) comes to mind, I have only seen this exploited by attackers twice , but I assure you it is happening, so as advised above one can only do as much, practice due diligence , invest in Infrastructure upgrades, optimize firewalls & IPS rules ,hire security professionals,etc.. .
    further reading below
    hope this helps.


    Accepted Solution

    Question PAQ'd, 500 points not refunded, and stored in the solution database.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now