Firewalls Fail to Stem Tide of DDoS Attacks, Survey Finds
Over-reliance on old-fashioned packet walls
By John E Dunn
November 10, 2011 — CSO — Companies still rely heavily on firewalls to defend themselves against denial-of-service attacks despite the fact that this class of device is often not up to the task, a new survey by F5 Networks has found.
The survey of 1,000 medium and large organisations in 10 countries found that up to 45 percent of respondents experience such attacks on a regular basis, a mixture of application and network-layer incursions.
About half rated denial of service attacks as highly effective with 79 percent saying they still relied on firewalls to deflect them despite 42 percent finding that such devices were ineffective against conventional attacks at the network layer.
The research also found that nearly half had detected attempts to access encrypted data on networks, with 44 percent noticing attacks against DNS servers, one of the most difficult-to-defend assets.
"Whilst many organisations can view insider threats as the most difficult to defend against, the research clearly demonstrates that external threats remain a potent force, and companies need to be aware of the most effective ways to safeguard themselves," said F5's technical director, Gary Newel.
Attacks on DNS servers were a clear worry, rated as being in the top three hard to repel attacks by a third of those asked.
"IT managers are between a rock and a hard place as attacks become more sophisticated and the cost of a breach continues to rise," said Newel.
The anxiety over DDoS attacks is far from new although exactly how to defend against it, not surprisingly, divides vendors.
Some see the best solution as being better routing infrastructure because routers are the first to handle DDoS packets as they move into a network. F5 is out to push its Big-IP Application Delivery Controllers which act in effect as load-balancing application firewalls. Another option is to use multiple layers and bundle the hardware level as a service.
During the recent launch of the Technology Operations Centre for the 2012 Olympic Games in London, organisers touted an array of security measures to counter the menace of a large DDoS disrupting content distribution from the global event.
Read more about data protection in CSOonline's Data Protection section.
The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.
Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody
Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response
A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change
5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it
IT risk assessment frameworks
How to do end-to-end encryption
How to compare and use enterprise antivirus
Also find sample data protection policies in CSO's tools, templates and policies library
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- New PCI Tokenization Guidelines with QSA Expert
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
