There seems to be a misconception that a Dos or DDos can be blocked with a firewall, and its just bugged me to no end. So I hope this will clear things up a bit.

Tiger Shark
There are two type of DoS. There's the kind that confuse, crash or overwhelm the target with packets that are malformed or conatin data/instructions designed to do that and the kind where you "fill the pipe" with so much traffic that nothing valuable can occur until the "flood" has stopped.

The first can be stopped by patches or systems that recognize the attempt and intercept the traffic or by sgutting down the affected service thus allowing other services to continue. The second type you are helpless to prevent. You need, at a minimum your ISP to drop the packets if he can. If not, grab a beer and hope they give up before you have to drive home....

The second is a flood type DoS that fills the pipe in which you are still up the river without the proverbial paddle because the traffic in your pipe is blocking valid requests anyway so the firewall dropping the invalid ones is of no help.

Tedob1
dropped or not[packets] they're still traffic on the pipe. you get enough of them and your going to be deprived of service. not as easiely as hogging the server's resources but a DoS just the same


Slarty
The action you need to take depends on the type of DoS attack

If it's a web application / web server DoS attack, it needs fully formed TCP connections to be effective - therefore it cannot use spoofed IPs, so you should record the IPs and block them at your firewall. Also you can use some web sevrer plugin modules like mod_security or its IIS equivalents to identify DoS attempts and block them, also some lame bandwidth DoS attempts.

If it's a synflood, just turn syn cookies on on your web servers or redirectors, job done.

If it's a bandwidth DoS, that is the hardest problem, it will be using spoofed source IPs set randomly, so you can't block the IPs at an upstream firewall. The DoSers will be using a TCP packet type which is part of legitimate traffic, so you can't block it upstream by flags or port numbers either.

Of course a local firewall has absolutely no effect on a bandwidth DoS, because the bandwidth is exhausted before it even gets there.

Your best bet is to work with your upstream providers, and get them to work with their peers to identify the routes used by the DoS traffic, and attempt to narrow it down to a given area, and if it's a truly distributed attack, there may be little they can do.

One option is to get your upstream provider to install some kind of QoS to somehow limit this traffic, to give established legitimate connections higher priority, or to set up a stateful firewall upstream, but again, this is dependent on how much resources your upstream provider have to throw at the problem.


a firewall is supposed to be able to take care of a DoS attack
No, it isn't.
Slarty


Credit given to original author. Some words were changed or added in my decision on what to put here. More may be added later as I find it. Or feel free to add your own.