Is packet filtering effective?

Packet filtering (the most common method of network security) is a good way to reduce the load on the firewall's CPU, but how effective is it at preventing attacks? I can see why it would be useful for stopping things like DNS amplification, but what about denial of service attacks? What about attacks on my TCP stack? Do they get filtered? TCP SYN flood attacks are blocked by a simple stateful firewall and are almost completely ineffective with a stateless firewall. Most TCP stack attacks are only successful if they get a return packet back to the attacker. A stateless firewall will not be able to respond to those and thus, there is no traffic back to the attacker.

Chris BrummeMay 17 '11 at 4:12. 1

@Chris - I'm assuming that this was designed for an embedded platform where it's much easier to control the CPU load. If you were doing this in a general purpose machine you'd likely want to configure some form of policy based flow control.

Tobias SchulzMay 17 '11 at 17:10. 1

I think that your answer is actually pretty misleading. I think that one of the reasons that stateless firewalls are effective against "attack" traffic is because they're more effective at blocking other kinds of traffic, like spam. However, many DDoS attacks do have "return traffic" to the attacking system.

Chris BrummeMay 18 '11 at 4:15. 3 Answers.
I've tested this out and found that it is not effective at blocking any TCP-based attacks, including SYN floods, buffer overflows, or even DoS. Stateful firewalls can filter out some UDP traffic. The problem is that you need to have a system in place to prevent attacks on the underlying OS. You don't have control over what processes are being run and therefore cannot use filters. This makes it very difficult to filter out attacks of a particular type. If you know the protocol in question, you can modify the code to bypass the filter. If you don't know, you may not even be able to bypass the filter.

Filtering out UDP is fairly easy. Filtering out TCP is very difficult, but possible. Since the firewall doesn't know anything about what's running on the computer, it can't do it.

What does a packet filter do?

Packet filters are devices or programs that act like a filter that screens incoming IP packets from a network interface.

A packet filter may allow an incoming IP packet to pass through to the target system only if the packet meets a certain criteria, or it may drop an incoming packet. The packet filter works in conjunction with network address translation (NAT) to determine how traffic on a network is treated by the firewall.

What are some ways to use packet filters? You can use packet filters to: Filter outgoing packets, such as those for voice communication over IP (VoIP). Filter traffic to and from the Internet. Block the incoming connection on a port. Limit the size of packets to prevent any type of security breach. Define policies on incoming traffic based on a number of conditions. In this example, we show a packet filter with four rules. Rule 1 allows the packet to be transmitted to the target system while the rest of the rules drop incoming packets.

A packet filter can be used as a first line of defense against intrusion attempts. Because of its simple structure, a packet filter requires only two or three commands to create. Using packet filters as a first line of defense, administrators can reduce the workload on the more complicated firewall devices.

The following are two examples of using a packet filter as a first line of defense. The first one will not drop incoming packets; the second one will drop incoming packets that fail to meet certain criteria.

Note: To create a packet filter, you must ensure that the configuration is using extended matches for each rule and using TCP SYN or ESTABLISHED states only for the first and last rule. These settings are needed for any packet filter that is used as a first line of defense. A packet filter uses port-based extended matches to enable blocking/filtering. In the following example, extended matches are used, but without specifying specific ports. A packet filter could look like this:

RULES IPPROTOCOL 1 = tcp SYN / tcp FIN 2 = tcp SYN FIN 3 = tcp SYN/FIN. If you specify tcp SYN or tcp FIN, the packet filter will match when any TCP SYN is received or when any TCP FIN is received (SYN/FIN). Any packet matching any of the three rules will be allowed to pass through.