"We've made the investments in our shields, they must work" - this statement must have been decried by legions of ancient soldiers as this age-old defense decayed before their eyes and they were crushed on the battlefield. In fact, the graveyard is littered with 'proven' defense strategies which, given time, have decayed to pointlessness. These 'trustworthy' and 'proven' methods finally gave way to newer tactics, technology and/or awareness to the innate problems of the defense strategy itself.

Nowhere is this more self-evident than in numerous IT departments around the world trying to fight the onslaught of cyber attacks. These cyber attacks were launched for a myriad of reasons and leveraged an even greater array of tactics and techniques. In the public's eye they are mostly known as DDoS attacks, however, the truth is that these attacks have taken all forms (volume, non-volume, directed attack, intrusion, malware, etc.) and have been hurled at the near defenseless 'wooden shields' representing today's corporate IT security defenses.

The irony of today's environment is that more and more organizations realize that DDoS threats should receive higher priority in their security planning. However, many still believe that the traditional security tools such as firewalls and Intrusion Prevention Systems (IPS) can help them deal with the DDoS threat - like the belief that the wooden shield would protect an army as it always had done. I would like to explain why organizations should not count on their firewall and IPS, or any 'stateful device,' when it comes to mitigating DDoS attacks.

Earlier this year, our Emergency Response Team (ERT) released its annual security report based on dozens of DoS and DDoS attacks that occurred in 2012. The report found that in 33% of cases, the firewall and IPS devices were the main bottlenecks during the attack. In fact, the humbling truth was that, taken collectively, failure of security hardware devices represented the largest origin of business outages in 2012.

Why are Firewalls and IPS's in particular so horrible at stopping DDoS attacks? The simple answer is that they were not designed to do so. Firewalls and IPS focus on examining and preventing the intrusion of one entity at a time, but were not designed to detect the combined behavior of legitimate packets sent millions of times. Of course, this is a bit simplified. What follows, however, is a more detailed explanation of firewall and IPS shortcomings when it comes to effectively blocking DDoS attacks.

Firewalls and IPS's track all connections for inspection and store them in a connection table -- this makes them 'stateful.' Stateful is a desirable treat when dealing with integrity-based security inspection or review for known threats such as malware and intrusions. In stateful inspection, every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection.

The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a DDoS attack may include thousands, or tens of thousands of packets per second. As the first device in the organizational network to handle the traffic, the firewall or IPS will open a new connection in its connection table for each malicious packet, resulting in the quick exhaustion of the connection table. Once the connection table reaches its maximum capacity, it will not allow additional connections to be opened, ultimately blocking legitimate users from establishing connections.

Cyber attack mitigation devices, on the other hand, include a stateless protection mechanism that can handle millions of connection attempts without requiring connection table entries or exhausting other system resources.

There are many attack vectors such as HTTP floods (both encrypted and non-encrypted versions) that are composed of millions of legitimate sessions. Each session on its own is legitimate, and therefore cannot be marked as a threat by firewalls and IPS. The problem of course is that firewalls and IPS were not designed to look at the behavior of millions of concurrent sessions as a whole, but only to examine individual sessions. This eliminates the ability to identify an attack composed of millions of valid requests.