[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

What type of firewall do i need to stop DOS attacks?

Posted on 2009-05-01
7
Medium Priority
?
1,149 Views
Last Modified: 2012-06-21
I operate a wireless ISP (WLAN) and have a fiber-optic backbone that provides service to a couple hundred subscribers. A few months ago, my provider (Surewest) called to tell me about a DOS attack that was coming through on my ip address. I use a Linksys RV016 router, which handled the traffic on the network very well prior to the DOS attack. Now, the DOS attack is overwhelming the router and causing a degredation in performance on my WLAN.
I know the attack is coming from the outside and the Linksys hardware firewall is doing okay, but i want to keep the attack from even getting to the router. I was looking at getting a Sonic Firewall, but my provider said that may stop some but it still may not be able to completely prevent the attack from overwhelming the router.
Is there a solution that anyone can recommend to prevent DOS attacks from overwhelming the router?

FYI- I do have public ip addresses and i use NAT. Ive tried to configure the firewall to "deny" certain port access and leaving just the basic ones open, like 80, 8080, etc. HOwever, it didnt seem to stop the attack. For example, in the log: "connection refused - policy violation TCP 71.115.41.177:50554->66.60.152.66:51413 on ixp1" and these happen every second, from some different ip -> to the same 66.60.152.66: something.

Any insight would be greatly appreciated.
0
Comment
Question by:SkyHi_Bill
6 Comments
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24284678
If you have a Cisco device you can read this guide from Cisco http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Additionally, I know that Microsofts ISA 2006 can detect dos attacks and block traffic from those ip addresses temporarily.
0
 
LVL 3

Expert Comment

by:ccsistaff
ID: 24284885
What you need is deep packet inspection, also referred to as Intrusion Prevention System (IPS).  Cisco units can offer this feature using their Intrusion Prevention System (IPS) in either the ASA firewall line or the Cisco IOS Router with Firewall Feature Set.  The IOS and ASA offer IPS capabilities, but you'll want to load the device with as much RAM as you can because IPS features will eat as much of it as it can and has been known to crash the firewall if too many signatures are active.  SonicWALL has similar features with their IPS implementation.  In either case you'll need to pay a yearly subscription to keep up the signature updates.  Using IPS you can configure violations to drop, reset, or alert a logging server.  If you're providing ISP services to companies, it would be worth your while to monitor your firewall for attacks like this.
0
 

Expert Comment

by:netwhw
ID: 24286697
Shouldnt Surewest block this attack for you ?
They should be able to block the packets even before reaching your border router, of course depends on how BIG is this attack...
Anyway getting better equipement is a must have ...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:rsivanandan
ID: 24288668
Any firewall with stateful inspection properties would prevent the DOS for you. Now what it means is the firewall will take the hit. Look for TCP sync cookie in google for more information.

Cheers,
Rajesh
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24300278
In addition to the above advice,I wish to add that your provider may be correct to some extent, sometimes you can not stop or recover from DOS attacks 100% without disrupting your service, if the attacks were executed properly , there are some advanced DDOS attacks, that if executed by attackers on a large scale could take down pretty much any host, something like distributed reflected denial of service (DRDOS) comes to mind, I have only seen this exploited by attackers twice , but I assure you it is happening, so as advised above one can only do as much, practice due diligence , invest in Infrastructure upgrades, optimize firewalls & IPS rules ,hire security professionals,etc.. .
further reading below
http://staff.washington.edu/dittrich/misc/ddos/
http://palisade.plynt.com/issues/2006Apr/ddos-reflection/
hope this helps.

0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 24825643
Question PAQ'd, 500 points not refunded, and stored in the solution database.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question