RioRey RX1810: how to put a firewall through hell

One of the problems when choosing an appropriate DDoS defence is that its effectiveness will only become apparent in practice. What is even worse is that this solution may lead to false positives - it is of course in nobody's interest to block regular traffic.

To this end, there are countless software-based firewalls available that allow you to set up a basic defence. If you wish to protect yourself from a SYN flood attack, you may find yourself considering iptables rules that limit the number of connections per second. However, these rules may have adverse effects. For instance, if a rule only accepts one connection per second while an attacker is trying to open 99 per second, a legitimate user will only have a one percent chance of reaching the server. This means that it will already be nearly impossible to establish a connection with a server that is under attack by only 99 packets per second.

Other firewall rules are only effective when an attack is poorly set up. For example, it became evident from one of the attacks on Tweakers.net that all traffic originated from the same unusual source port - consequently, blocking it was a mere triviality. Of course, we had to discover this first and, as a firewall is quite busy during a DDoS, that proved to be rather time consuming.

There are also more complex software-based solutions available. While researching the matter we stumbled on a Linux tool named Floodmon. At first, the tool seemed promising, but after a few tests it turned out that this program was hardly more effective than a handful of iptables rules.

In addition, a software-based solution requires a lot of server capacity. An attack of only 350kpps already caused the CPU core responsible for handling network traffic to be fully in use, so it was hardly able to handle legitimate traffic.

To put it briefly, the disadvantage of the software-based solutions on a custom built Linux firewall is that a lot still needs to be managed manually. Moreover, the rules are likely to be either too strict for regular traffic, or too broad to even prevent against attacks. On top of that, a software-based defence does not effectively prevent against distributed attacks consisting of small amounts of traffic originating from many different addresses.

Ironing it out

Hardware-based solutions come in roughly three different shapes. There are, for instance, switches and routers with basic DDoS protection that you are only able to turn 'on' or 'off'. The question is then what gets blocked and what not, whether they are, on the one hand, aimed at preventing damage or, on the other, at keeping the target available, and how you find out that a system is under attack.

In addition, there are generic firewalls available that may be provided with expansion modules to counter DDoS attacks. Some well-known names in this field are Cisco, Juniper and Checkpoint, but these are not the only ones. We do not have extensive experience with these solutions, but, for as far as we know, they are difficult to manage. Moreover, you often have to pay an additional amount for protection against DDoS attacks, while at the same time it was unclear to what extent these systems are able to cope with large numbers of attackers that each generate relatively small amounts of traffic.

Finally, there are appliances available that are customized to counter DDoS attacks. Our new RioRey RX1810 is just that kind of appliance. The companies that dominate this market are largely unknown, at least, to us. As may be expected, this group of appliances also has its disadvantages: your rack has to put up with yet more hardware and worse still, it is one that is only able to carry out one specific task. On top of that, chances are that your supplier may not sell or support such appliances.

The sky is the limit

Another possibility is to buy protection outside of your own rack. In such a 'cloud' defence, all traffic is routed via the network of a service provider; only 'clean' traffic will find its way to your web servers. This may be done on demand during a DDoS attack by modifying routing information. Obviously, your ISP has to support this service to make this work. We did not explore it in any depth, but this approach has the advantage that there is a lot more bandwidth available for dealing with a DDoS attack.