Can firewalls prevent denial of service attacks such as the one described on page 96? What other
methods are available to deal with such attacks?

What will be an ideal response?

Since a firewall is simply another computer system placed in front of some intranet services that require
protection, it is unlikely to be able to prevent denial of service (DoS) attacks for two reasons:
• The attacking traffic is likely to closely resemble real service requests or responses.
• Even if they can be recognized as malicious (and they could be in the case described on p. 96), a
successful attack is likely to produce malicious messages in such large quantities that the firewall itself
is likely to be overwhelemed and become a bottleneck, preventing communication with the services that
it protects.
Other methods to deal with DoS attacks: no comprehensive defence has yet been developed. Attacks of the
type described on p. 96, which are dependent on IP spoofing (giving a false ‘senders address’) can be prevented
at their source by checking the senders address on all outgoing IP packets. This assumes that all Internet sites
are managed in such a manner as to ensure that this check is made - an unlikely circumstance. It is difficult to
see how the targets of such attacks (which are usually heavily-used public services) can defend themselves
with current network protocols and their security mechanisms. With the advent of quality-of-service
mechanisms in IPv6, the situation should improve. It should be possible for a service to allocate only a limited
amount of its total bandwidth to each range of IP addresses, and routers thorughout the Internet could be setup
to enforce these resource allocations. However, this approach has not yet been fully worked out.